- 07-23-2007, 01:01 PM #1401
- 07-23-2007, 01:07 PM #1402
- 07-23-2007, 01:08 PM #1403
(1) Apple is/has been working on an update since they probably locked down the software for shipping. So it's not that far fetched.
(2) In a nice surprise, Motorola released an update for the Sprint Q 3 weeks after release to fix a bunch of issues, so it can and has been done.
- 07-23-2007, 01:19 PM #1404
- 07-23-2007, 01:22 PM #1405
I've been using it for months now and even though it's just a "technology preview" (not even an alpha or beta for release) it works quite well. There is a security issue with server-side handling, so that is one thing that will need to be considered.
- 07-23-2007, 01:26 PM #1406
- 07-23-2007, 01:28 PM #1407
- 07-23-2007, 01:29 PM #1408
Let's also hope that iphone had some effect on the mobile browser situation, and lots of good browsers are coming; before iphone, the innovative browsers that people were talking about (at least that I heard about) were things like opera (which, while a step up from blazer, isn't in the same league with mobile safari). I imagine we won't see much of a response from MS or palm, however, until their next generation of products. (And, for palmos, that might as well be never. I expect we'll see their linux-based OS around the time duke nukem forever ships).
So... Apple and security... have you met before?
iPhone / Yahoo: Too cool to do standards, too hip to do security.
Okay, so those two words donít mean anything to you.
Take one iPhone. Take a Yahoo mail account, supporting ďPush IMAPĒ, although itís neither P-IMAP nor Lemonade. The iPhone authenticates to Yahoo using a proprietary mechanism called XYMPKI. The exchange goes like this:
iPhone: Iíd like to authenticate using XYMPKI, please.
iPhone: Hereís a structured message, containing my device ID and a signature.
iPhone: Hereís my X.509 certificate in DER form.
Yahoo: Okay, I believe you.
Now, people have posted these traces on the web. Everyone knows that PKI is pretty secure, of course.
So, find one, and repeat it:
Me: Iíd like to authenticate using XYMPKI, please.
Me: Hereís someone elseís first message, that I snooped off the wire, or grabbed via Google.
Me: Hereís someone elseís certificate, that I also got.
Yahoo: Okay, I believe you.
This is known as a replay attack. Itís not too serious, because any recent IMAP service supports TLS - theyíre all mandated to by RFC3501, let alone Lemonade. This prevents replay attacks via sniffing, because you canít get data. Youíre still vulnerable to someone spoofing the DNS, and therefore pretending to be Yahooís server, although TLS certificate checking should catch this, too.
Oh, wait - because Yahoo! Donít! Do! Standards!
So they donít do TLS.
So not only does DNS spoofing work very nicely - thanks, Yahoo - but also anyone on an unencrypted access point can lift your credentials.
What could Yahoo and Apple have done about this?
Well, firstly, they could have done TLS. Thatíd protect against the replay attack, as well as bringing them somewhat closer into line with the RFC theyíre meant to be following.
Secondly, they could have used a different mechanism, say DIGEST-MD5 (venerable and moving to historic, but still quite good), GSSAPI, or simply TLS and SASL EXTERNAL based on the device certificate. Or some other proprietary mechanism that actually offered real security.
But they didnít. Because they donít, apparently, give a flying **** about basic security, standards, or indeed anything much other than how to look cool. I donít know why Iím so angry about this, given I donít own an iPhone, but itís a further let-down from people who really ought to know better.
These things ought to be a showcase for technology, not a shiny box of stupidity.
So, has Paris Hilton got an iPhone yet? On the other hand, the iPhone doesn't do video, does it...
- 07-23-2007, 01:35 PM #1410
Not a very pretty solution, but it works. (I actually rely on a bookmarklet for "find on this page" pretty heavily - it's a pretty nice way to go until and unless they add some more functionality).
- 07-23-2007, 02:05 PM #1411
- 07-23-2007, 02:11 PM #1413
- 07-23-2007, 02:13 PM #1414
- 07-23-2007, 02:23 PM #1416
- 07-23-2007, 02:55 PM #1417
I am curious with how widespread the iPhone is projected to be, if we'll see a reversal of hacking/virii for mobile devices i.e. we have anti-virus scanners for WM yet there has never been a "real" virus attempt to spread on these devices (despite all of those FUD "projections" from symantec).
But will there be more attempts at hacking/compromising the iPhone due to
(1) It's so widely adopted (relatively) and it's prominence
(2) It's so locked down that it attracts more attention?
Obviously it's way too early to make any predictions, thought it will be interesting to see what happens.
- 07-23-2007, 03:24 PM #1419
- 07-23-2007, 03:43 PM #1420
- 07-23-2007, 03:43 PM #1421
- 07-23-2007, 03:43 PM #1422
- 07-23-2007, 03:44 PM #1423
- 07-23-2007, 03:45 PM #1424
- 07-23-2007, 03:50 PM #1425
Thank you for your kind words. I spent a decade designing microprocessors for companies like Sun and AMD, so it's in my nature to break things down logically and analyze them from a neutral perspective.
If Apple doesn't do a firmware update by the end of august that addresses some of the glaring deficiencies, I may join you guys :-) (but probably not. i knew what i was paying for when i forked over my cash, so i don't feel like apple owes me too much beyond bug fixes.)