On Twitter, Andrew Mayes posted a link to an October 3 story posted by The Verge titled This is what happens when 911 fails. The article talks about experiences people had trying to call 911, via landline or mobile, as well as troubles that 911 dispatchers have sometimes experienced in trying to locate mobile callers. One area not mentioned by the author was Voice over IP (VoIP). Unfortunately, the story isn’t any better in the mystical VoIP wonderland.
If you have a business, especially if your business uses VoIP for outside phone service, have you done a 911 test? If not, do one soon!
Warning! I am about to bring up a topic that others have talked about before: Name Constraints (as it applies to SSL, that is). Name Constraints is a way for a Certificate Authority (a CA) to say “All of the certificates issued by me should only be used for these domains (x.net, or y.z.com, or all of .org, etc.). Any other certificate should not be trusted.”
Name Constraints are not supported by everything yet, but they are supported in some places. Not only would Name Constraints make things easier for sysadmins, it would give a new revenue stream for CAs, browsers would have an easier time accepting them, and it would “streamline the user experience” (whatever that means).
iOS 8.0 ships with a number of trusted certificates (also known as “root certificates” or “certificate authorities”), which iOS implicitly trusts. The root certificates are used to trust intermediate certificates, and the intermediate certificates are used to trust web site certificates. When you go to a web site using HTTPS, or an app makes a secure connection to something on the Internet (like your mail server), the web site (or mail server, or whatever) gives iOS its certificate, and any intermediate certificates needed to make a “chain of trust” back to one of the roots. Using the fun mathematical property of transitivity, iOS will trust a web site’s certificate because it trusts a root certificate.
iOS 8.0 includes two hundred twenty-two trusted certificates. In this post, I’m going to take a look at these 222 certificates. First I’m going to look at them in the aggregate, giving CA counts by key size and by hashing algorithm. Afterwards, I’m going to look at who owns these trusted roots.
About an hour ago, I opened bug #18403015 on Radar, Apple’s bug reporting web site.
This is not the first time I’ve reported a bug to Apple: I recently opened a different bug (#18347673) because iOS has problems handling identify certificates, and I’ve opened other bugs as well in the past, for other stuff. What makes this bug different is that I’m reporting it as a security bug.
From time to time (and more often when I have more free time), I wonder “Hmmm, how would I solve [insert problem here].”, and from time to time I think “How about this?” That’s what I’ll be using this category for, problems that I find interesting, and that my solution might work for.
Am I going to be talking about things that are way out of my depth? Probably! Am I going to be talking about problems that have already been solved? Most likely! But hey, you never know, it might be useful!
Time for the obligatory first post! Every once in a while, I have something that I think justifies the effort to write down. When such a thing happens, I’m going to put it here. I’m not going to be talking about anything specifically, but my posts will likely be related to my background in IT.
I’ll talk more about my background in a later post. Until then…