I had to laugh at "Apple security flaw could let hackers beat encryption"
Funny thing about this article, it makes me not want to trust app developers like Level -- since, by chance, apps like Chrome were not affected. Now, does this really mean I'm suggesting don't use SecureTransport? No, but "The only fix is to install the latest security patch, which Apple released Feb. 21." is a lie, as is "Level [...] is requiring that users update their OS before they can use the app—a necessary step, according to Fuentes."
Frankly, "It's a lot more technical and hard for nontechnical people to grasp," is silly too. What's so hard to understand about "if you're running iOS 6 or 7 before the recent updates, the padlock you see in your Safari browser is meaningless"? Of course, it's harder to tell if any other apps are using SSL in the first place, but you shouldn't trust apps with your data unless they're from reputable developers who will take responsibility for risks. (E.g. banks) And at that point, it's the developer's job to release an update that doesn't use SecureTransport for older OSes -- as well as encouraging people to update and disallowing prior releases from being automatically downloaded through the App Store (unless they target iOS 4 or 5 specifically).
> Because the certificate chain is correct and it's the link from the handshake to that chain which is broken, I don't believe any sort of certificate pinning would have stopped this.
If a bank app wrote their own security code, and didn't use the standard platform library, then when a bug was found, they'd get piled on here for rolling their own and not going with the much more widely tested platform implementation.
Should a well-put-together banking application re-implement the entire OS? After all, there are lots of places where security bugs can hide throughout the OS.
Exploits are theoretical; their mere existence does not mean your data is compromised. Other circumstances must exist first in order for particular people to be affected.
(Read more: scary headline.)
I had to laugh at "Apple security flaw could let hackers beat encryption"
Funny thing about this article, it makes me not want to trust app developers like Level -- since, by chance, apps like Chrome were not affected. Now, does this really mean I'm suggesting don't use SecureTransport? No, but "The only fix is to install the latest security patch, which Apple released Feb. 21." is a lie, as is "Level [...] is requiring that users update their OS before they can use the app—a necessary step, according to Fuentes."
Frankly, "It's a lot more technical and hard for nontechnical people to grasp," is silly too. What's so hard to understand about "if you're running iOS 6 or 7 before the recent updates, the padlock you see in your Safari browser is meaningless"? Of course, it's harder to tell if any other apps are using SSL in the first place, but you shouldn't trust apps with your data unless they're from reputable developers who will take responsibility for risks. (E.g. banks) And at that point, it's the developer's job to release an update that doesn't use SecureTransport for older OSes -- as well as encouraging people to update and disallowing prior releases from being automatically downloaded through the App Store (unless they target iOS 4 or 5 specifically).