Apple Software Update Server Certificate Expired

UPDATE:
Apple updated the SSL Certificate for swscan.apple.com on early Sunday, May 25, 2014.

swscan.apple.com new certificate 20140525

——-

Late Saturday afternoon, a colleague told me that he was having issues getting software updates through the Mac App Store.

An error has occurred

The certificate for this server is invalid. You might be connecting to a server that is pretending to be “swscan.apple.com” which could put your confidential information at risk.

Apple-Software-Update-SSL-Error

Upon further investigation, apparently someone at Apple forgot to install new SSL Certificate for swscan.apple.com.

swscan.apple.com certificate expired

Is it possible that a small company like Apple could not afford at least one person to make sure all their security certificate up to date?

Mr Tim Cook, I am available to do the one job. How about $200,000 a year sound?

 

Apple releases fix for SSL Vulnerability in OS X Mavericks, Mountain Lion and Lion

In the morning of Tuesday, February 25, 2014 Apple releases fix for SSL Vulnerability in OS X Mavericks, Mountain Lion and Lion.

The fix for SSL Vulnerability is included in OS X Mavericks 10.9.2.

Safari on OS X Mavericks 10.9.2 passed the goto fail test.

OS X Mavericks 10.9.2 Safari goto fail test

OS X Mavericks 10.9.2 Update

This update:

  • Adds the ability to make and receive FaceTime audio calls
  • Adds call waiting support for FaceTime audio and video calls
  • Adds the ability to block incoming iMessages from individual senders
  • Improves the accuracy of unread counts in Mail
  • Resolves an issue that prevented Mail from receiving new messages from certain providers
  • Improves AutoFill compatibility in Safari
  • Fixes an issue that may cause audio distortion on certain Macs
  • Improves reliability when connecting to a file server using SMB2
  • Fixes an issue that may cause VPN connections to disconnect
  • Improves VoiceOver navigation in Mail and Finder

For detailed information about this update, please visit: About the OS X Mavericks 10.9.2 Update

Security Update 2014-001 (Mountain Lion)

Security Update 2014-001 (Lion)

——-

The SSL Vulnerability is currently present in iOS 7.1 beta 5 build 11D5145e. According to an Apple engineer, a new build of iOS 7.1 beta is coming “really soon”.

 

SSL Vulnerability presents in iOS 7.1 beta and OS X Mavericks 10.9.2 Developer Preview

Apple released iOS 6.1.6 and iOS 7.0.6 to address an SSL vulnerability issue on Friday, February 21, 2014. According to reports, the same vulnerability presents in the current build of OS X Mavericks 10.9.1, OS X Mavericks 10.9.2 build 13C62 and iOS 7.1 beta build 11D5145e.

Based on goto fail; test Google Chrome, Mozilla Firefox and Camino on OS X are not affected by this vulnerability. Camino browser was no longer developed as of May 31, 2013.

iOS 7.1 beta 5 build 11D5145e SSL Vulnerability

Apple is expected to fix this SSL vulnerability issue in the upcoming build of iOS 7.1 and OS X Mavericks (10.91 and 10.9.2 Developer Preview).

John Gruber wrote a great post on Daring Fireball regarding this SSL vulnerability issue and NSA exploits on iOS.

According to Jeffrey Grossman’s tweet (Jeffrey903):

I have confirmed that the SSL vulnerability was introduced in iOS 6.0. It is not present in 5.1.1 and is in 6.0 /cc @markgurman

Tin foil hat might be handy, as a sleeper NSA agent might be working at Apple.

Jurors Sided Against Newegg on Patent Lawsuit

An eight-person jury in Marshall, Texas found the online retailer Newegg to infringe on a patent owned by TQP Development, a non-practicing patent holder.

Ars Technica reports:

They also found the patent was not invalid, apparently rejecting arguments by famed cryptographer Whitfield Diffie, who took the stand on Friday to argue against the patent.

The jury ordered Newegg to pay $2.3 million, a bit less than half of the $5.1 million TQP’s damage expert had suggested.

Newegg said they will appeal the verdict.

——-

Disclaimer
I recently was hired on a project that involves Newegg as the client. I cannot discuss, let alone reveal the details of the project at this moment. I can safely say that the project is unrelated with Newegg patent lawsuit. I am also a Newegg customer.

Newegg Visitor Badge

Nokia, You’ve gotta be kidding me!

Meatloaf is not amused

From GigaOM:

Nokia has confirmed reports that its Xpress Browser decrypts data that flows through HTTPS connections – that includes the connections set up for banking sessions, encrypted email and more. However, it insists that there’s no need for users to panic because it would never access customers’ encrypted data.

Nokia is playing the role of the man in the middle with the Xpress Browser. Nokia installs its own SSL/TLS certificate in the XPress Browser so it could create a secure/encrypted session to Nokia’s own server. The server then initiates https session with the website.

Does anyone remember what Opera Mini does?

Some corporate networks use proxy that request https session on the proxy on behalf of the computers in their networks.