Support NeoGAF

[UnluckyKate]

OSX isn't updated yet ?

 

[GaimeGuy]

Not exactly. You could rename "goto fail" to "goto exit" to remove the confusion; the problem occurs when that block is called with an error code of zero (which is what the second goto does). In other words, when fail is called when there is no failure, it succeeds, bypassing further checks.

Apple's real fail here is not asserting that err is non-zero in the fail block, which would ensure fail is only called on error (and otherwise warn or crash), and would have caught the problem at virtually no cost.

Seems like a bad design if they need to cache the error codes in a member variable if you ask me.

 

[Cth]

Any word on how iOS 7 runs on 2nd gen iPads? I never upgraded from iOS 5 after all the problems iOS 6 were giving users.

 

[ComputerMKII]

I'm trying to download the update but the estimated download time is 60-70 minutes and it always fails because my Macbook Air 2013 has Wi-fi connectivity issues for which Apple STILL HASN'T MADE A PATCH

I have to restart the download from scratch every ten minutes

 

[SJRB]

Any word on how iOS 7 runs on 2nd gen iPads? I never upgraded from iOS 5 after all the problems iOS 6 were giving users.

Pretty mediocre. iPad is somewhat sluggish since iOS7, I'm not a fan.

 

[leadbelly]

Yes. Depending on how far down the rabbit hole you want to go:

1. NSA have not exploited the flaw.
2. NSA found the flaw and exploited it.
3. NSA had a mole at Apple that purposely put in the flaw.
4. Apple consciously put in the flaw for the NSA.

They've still got DROPOUT JEEP. It will always work, always... apparently.

 

[Ovid]

Thank you.

Fixed my iOS devices. Now I have to wait for OSX.

 

[SRG01]

Someone should update the thread title to mention iOS 6.1.6... Anyone?

 

[zhorkat]

Seems like a bad design if they need to cache the error codes in a member variable if you ask me.

Here's the source code. The function in question is called SSLVerifySignedServerKeyExchange. I recommend you read the code.

 

[Cth]

Pretty mediocre. iPad is somewhat sluggish since iOS7, I'm not a fan.

Hrm.. decisions, decisions..

I've been putting off upgrading for performance issues, and with more apps requiring 6/7 and now this, I might just go ahead and upgrade and deal with the sluggishness.

Thanks!

 

[Lkr]

my iPhone hangs on Checking for Update. goddamn it apple it is because i'm jailbroken isn't it

 

[X-Frame]

So does this affect people on a home WiFi network that is locked?

 

[whitehawk]

Brackets.

Can someone explain the problem to someone who doesn't program?

 

[braves01]

So if I have an iPhone 4, I'm forced to update my phone to a newer version that will kill my performance or live with no security

Fuck

 

[this_guy]

This is insane. It took them a year to find this?

How the hell is this even possible?

Actually, it's been over 2 years because the bug was introduced in iOS6.

 

[Dr. Feel Good]

I thought this had something to do with the timing of a GBA4 iOS which can be used on non jail broken phones?

 

[AlphaTwo00]

OSX isn't updated yet ?

This is going to be fun. And by fun I mean not fun.

 

[SRG01]

Can someone explain the problem to someone who doesn't program?

It enters fail: before hitting the conditional, which will always return true.

So if I have an iPhone 4, I'm forced to update my phone to a newer version that will kill my performance or live with no security

Fuck

Which iOS are you on? iOS 6 should be updated to 6.1.6. If you're <5, you're okay.

edit: For those of you just joining us, please use https://gotofail.com/ to see if your system is compromised. Chrome is not affected because it uses its own verification system.

 

[PFD]

Hrm.. decisions, decisions..

I've been putting off upgrading for performance issues, and with more apps requiring 6/7 and now this, I might just go ahead and upgrade and deal with the sluggishness.

Thanks!

If you're still on iOS 5 this security issue does not affect you.

my iPhone hangs on Checking for Update. goddamn it apple it is because i'm jailbroken isn't it

Yes, actually. The jailbreak intentionally disables over-the-air update functionality. You need to update through iTunes.

Which iOS are you on? iOS 6 should be updated to 6.1.6. If you're <5, you're okay.

Only if you have a 3GS/iPod Touch 4G. Other devices, like the iPhone 4, can only update to iOS 7, as Apple won't sign anything prior to that.

 

[smokeandmirrors]

Can someone explain the problem to someone who doesn't program?

It should check to see if it fails and then go elsewhere if it does, and if not it continues the checks if it passes. However due to the placement of the second goto fail; even if the check passes it will always fail no matter what.

 

[terrisus]

"Today we know that HTTPS haven't protected our credentials and privacy for 1 year, maybe more on OSX and iOS"


Sounds great...

 

[whitehawk]

It enters fail: before hitting the conditional, which will always return true.



Which iOS are you on? iOS 6 should be updated to 6.1.6. If you're <5, you're okay.

edit: For those of you just joining us, please use https://gotofail.com/ to see if your system is compromised. Chrome is not affected because it uses its own verification system.

Good thing I'm using firefox. Says it's safe. Safari on the other hand failed the test.

 

[SRG01]

Only if you have a 3GS/iPod Touch 4G. Other devices, like the iPhone 4, can only update to iOS 7, as Apple won't sign anything prior to that.

Thanks for the clarification. I didn't realize that it was an auto-bump to iOS7.

 

[Salvadora]

So if I have an iPhone 4, I'm forced to update my phone to a newer version that will kill my performance or live with no security

Fuck

I'm in the same boat.

Fuck sake.

 

[meow]

Phew, I only use Chrome on my laptop and I have an android phone!

 

[PFD]

So if I have an iPhone 4, I'm forced to update my phone to a newer version that will kill my performance or live with no security

Fuck

If the jailbreaking community releases a fix through Cydia, you might be able to safely stick to iOS 6, if you're willing to put up with the jailbreak.

 

[Guess Who]

If you're on an iPhone 4 and concerned about performance, you could wait for 7.1 which will probably hit in a month and perform quite a bit better than 7.0.x.

 

[Technosteve]

i hope who ever over looked this bug during auditing got fired.

 

[Lord Error]

Can someone explain the problem to someone who doesn't program?

See where it says goto fail twice? Because of the way the condition is formatted, the second 'goto fail' will always execute regardless of condition. It's like if they wrote this:

if (condition) { goto fail };
goto fail;

 

[Bloodrage]

iOS7 is shit, man. Fuck.

 

[Altazor]

thanks for the heads-up, I updated immediately!

 

[FyreWulff]

i hope who ever over looked this bug during auditing got fired.

This is a good way to have security issues buried in the future. No.

 

[CosmicGroinPull]

Wow thank goodness I don't use public wifi.

 

[reKon]

See where it says goto fail twice? Because of the way the condition is formatted, the second 'goto fail' will always execute regardless of condition. It's like if they wrote this:

if (condition) { goto fail };
goto fail;

how did this get missed upon review? I'm assuming that code gets reviewed by multiple senior staff before it's given the green light..

 

[FyreWulff]

Wow thank goodness I don't use public wifi.

so if you haven't connected to public wifi you're good?

So does this affect people on a home WiFi network that is locked?

Doesn't matter if you're on public or private wifi, you were still exposed to MITM attacks. Update.

 

[RedShift]

I thought this had something to do with the timing of a GBA4 iOS which can be used on non jail broken phones?

Pretty sure GBA4iOS has been available on non jailbroken devices for a year or so now. I used it on my non jailbroken iPod touch in September anyway.

 

[X-Frame]

Doesn't matter if you're on public or private wifi, you were still exposed to MITM attacks. Update.

My iOS devices are updated, but my MBP isn't so much an issue as it hasn't been out of my house for a few years at least, correct?

 

[FyreWulff]

My iOS devices are updated, but my MBP isn't so much an issue as it hasn't been out of my house for a few years at least, correct?

The communications still leave your network unencrypted. The only encryption is between you and the router when you set a password to get onto it.

Encrypting your wifi encrypts the communication between your computer/device and the router, but not anything past your router. That's what SSL is usually there for, to protect the communication between the edge of your network and the edge of the network you're communicating with.

This might help illustrate it a bit. Click the HTTPS button to see what SSL usually does for you:

https://www.eff.org/pages/tor-and-https

Right now without the update, your communications on iOS and OSX were like having both the HTTPS and Tor buttons unselected.

With proper SSL activated, your browser communications are safeguarded even on open wifi.

 

[CosmicGroinPull]

Doesn't matter if you're on public or private wifi, you were still exposed to MITM attacks. Update.

Yikes. Got it, thanks.

 

[Cush]

My iphone4 has 6.1.3 but when I go to software update, it offers 7.0.6. How do I get 6.1.6?

Edit: Ah,I see that I can't.

 

[thefit]

Yikes, my workplace hasn't even updated us to ios7 thats good right?

 

[Fenderputty]

Well at least the picture is wrong (or at least, not completely accurate in depicting the problem).

For those of you who don't speak code:

Problem #1: The encrypted connection always fails (pictured).
Problems 2 through 5000000000000000000: When an encrypetd connection fails, the system automatically falls back to an unencrypted transmission.

Thanks. Wow ...

 

[Kuroyume]

Takes like 80 years to update fuck

 

[infiniteloop]

Yikes, my workplace hasn't even updated us to ios7 thats good right?

Not if you're running iOS 6.

 

[Llyranor]

Other devices, like the iPhone 4, can only update to iOS 7, as Apple won't sign anything prior to that.

Yes, this seriously pisses me off. Might ditch Apple for my next phone because of this.

 

[vagabondarts]

This is such an unbelievable oversight... I mean... Wow.

 

[Atraveller]

This is such an unbelievable oversight... I mean... Wow.

Unbelievable I say.

 

[Suikoguy]

This is such an unbelievable oversight... I mean... Wow.

I can see how the programming error itself was not caught.

HOWEVER, I'm quite surprised that both internal apple software testing did not find it, and it was overlooked by hackers, or if it was discovered, remained a secret.

 

[Community Forum]

So I've updated.

Now what? Change all passwords for everything and get new credit cards?

 

[Atraveller]

I can see how the programming error itself was not caught.

HOWEVER, I'm quite surprised that both internal apple testing did not find it, and it was overlooked by hackers, or if it was discovered, remained a secret.

If I'm a hacker and had a convenient backdoor like this, I wouldn't tell anyone.