Bleeding hearts

Read, a day or two ago, about Apple forgetting to update the software update machine's SSL certificate.  Made me think of a problem with the heartbleed problem.  If the certificate wasn't updated (and it obviously wasn't, from looking at the dates), then heartbleed could still be a problem.

Even if the heartbleed bug was fixed, if the server cert hadn't been updated, then it would still be possible to do a "man in the middle" attack, if the server was compromised before the heartbleed bug was patched.  Maybe not a big deal, as there probably isn't all that much data flowing across the software update server.  But still something to think about.  I hope they've done a better job with itunes, app store, mac app store, and apple store server certs.

No comments:

Post a Comment