Hacker News new | past | comments | ask | show | jobs | submit login

I'm a little naive when it comes to SSL/TLS. I've been wondering whether the reason for the delay is that because with this compromise Apple's update service is no longer a secure channel through which to distribute a fix. So now they're scratching their heads trying to figure out a way around the issue, possibly coding up something that uses OpenSSL. Is this line of reasoning unfounded?

EDIT: Great points about the checking of the signatures. Let's hope there's not a second bug that can bypass this in some cases.




My understanding is that the update system checks digital signatures on the downloaded data separately from TLS, rather than simply relying on the integrity of TLS. If that understanding is correct, then there shouldn't be any issue there.


That would be all the more reason for them to have released the update simultaneously with the iOS update.

Although we still don't know how this was discovered or if it's in the wild.


Software updates are signed by Apple's key, only signed and verified files can be installed by software update


That's an interesting line of thought, but:

1. if they can't use the update service, then they can't deploy anything that they're coding up anyways.

2. I assume they sign their updates, so it shouldn't matter that the channel is compromised.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: