iOS 8.0 ships with a number of trusted certificates (also known as “root certificates” or “certificate authorities”), which iOS implicitly trusts. The root certificates are used to trust intermediate certificates, and the intermediate certificates are used to trust web site certificates. When you go to a web site using HTTPS, or an app makes a secure connection to something on the Internet (like your mail server), the web site (or mail server, or whatever) gives iOS its certificate, and any intermediate certificates needed to make a “chain of trust” back to one of the roots. Using the fun mathematical property of transitivity, iOS will trust a web site’s certificate because it trusts a root certificate.
iOS 8.0 includes two hundred twenty-two trusted certificates. In this post, I’m going to take a look at these 222 certificates. First I’m going to look at them in the aggregate, giving CA counts by key size and by hashing algorithm. Afterwards, I’m going to look at who owns these trusted roots.
About an hour ago, I opened bug #18403015 on Radar, Apple’s bug reporting web site.
This is not the first time I’ve reported a bug to Apple: I recently opened a different bug (#18347673) because iOS has problems handling identify certificates, and I’ve opened other bugs as well in the past, for other stuff. What makes this bug different is that I’m reporting it as a security bug.
From time to time (and more often when I have more free time), I wonder “Hmmm, how would I solve [insert problem here].”, and from time to time I think “How about this?” That’s what I’ll be using this category for, problems that I find interesting, and that my solution might work for.
Am I going to be talking about things that are way out of my depth? Probably! Am I going to be talking about problems that have already been solved? Most likely! But hey, you never know, it might be useful!
Time for the obligatory first post! Every once in a while, I have something that I think justifies the effort to write down. When such a thing happens, I’m going to put it here. I’m not going to be talking about anything specifically, but my posts will likely be related to my background in IT.
I’ll talk more about my background in a later post. Until then…