Apple, Google, Microsoft, and Mozilla come together to end TLS 1.0

Almost everyone has now migrated to TLS 1.2, and a few have moved to TLS 1.3.

A green exterior door is sealed with a padlock.

Enlarge (credit: Indigo girl / Flickr)

Apple, Google, Microsoft, and Mozilla have announced a unified plan to deprecate the use of TLS 1.0 and 1.1 early in 2020.

TLS (Transport Layer Security) is used to secure connections on the Web. TLS is essential to the Web, providing the ability to form connections that are confidential, authenticated, and tamper-proof. This has made it a big focus of security research, and over the years, a number of bugs that had significant security implications have been found in the protocol. Revisions have been published to address these flaws.

The original TLS 1.0, heavily based on Netscape's SSL 3.0, was first published in January 1999. TLS 1.1 arrived in 2006, while TLS 1.2, in 2008, added new capabilities and fixed these security flaws. Irreparable security flaws in SSL 3.0 saw support for that protocol come to an end in 2014; the browser vendors now want to make a similar change for TLS 1.0 and 1.1.

Read 2 remaining paragraphs | Comments

Apple to Congress: Chinese spy-chip story is “simply wrong”

“Our internal investigations directly contradict every consequential assertion.”

Article intro image

Enlarge / Apple CEO Tim Cook. (credit: Drew Angerer/Getty Images)

Apple isn't relenting in its attacks on last week's Bloomberg story claiming that tiny Chinese chips had compromised the security of Apple and Amazon data centers. In a Monday letter to Congress, Apple wrote that the claims in the Bloomberg story were "simply wrong."

Bloomberg's story, published last Thursday, claimed that the Chinese government had secretly added spy chips to the motherboards of servers sold by Supermicro. According to Bloomberg, these servers wound up in the data centers of almost 30 companies, including Apple and Amazon. But the three companies featured in the story—Apple, Amazon, and Supermicro—have all issued broad and strongly worded denials.

The stakes here are high for Apple. Millions of Americans rely on the company to protect the privacy of their data on iCloud and other online services. If there were really Chinese chips infiltrating Apple data centers, it could call into question the security of those services. But Apple insists that the story was simply bogus.

Read 9 remaining paragraphs | Comments

Bloomberg: Super Micro motherboards used by Apple, Amazon contained Chinese spy chips

Super Micro, Amazon, and Apple deny everything in the report.

Article intro image

(credit: Wikipedia)

Tiny Chinese spy chips were embedded onto Super Micro motherboards that were then sold to companies in the US, including Amazon and Apple, reports Bloomberg. The report has attracted strenuous denials from Amazon, Apple, and Super Micro.

Bloomberg claims that the chips were initially and independently discovered by Apple and Amazon in 2015 and that the companies reported their findings to the FBI, prompting an investigation that remains ongoing. The report alleges that the tiny chips, disguised to look like other components or even sandwiched into the fiberglass of the motherboards themselves, were connected to the management processor, giving them far-reaching access to both networking and system memory. The report says that the chips would connect to certain remote systems to receive instructions and could then do things like modify the running operating system to remove password validation, thereby opening a machine up to remote attackers.

The boards were all designed by California-based Super Micro and built in Taiwan and China. The report alleges that operatives masquerading as Super Micro employees or government representatives approached people working at four particular factories to request design changes to the motherboards to include the extra chips. Bloomberg further reports that the attack was made by a unit of the People's Liberation Army, the Chinese military.

Read 3 remaining paragraphs | Comments

A host of new security enhancements is coming to iOS and macOS

(credit: Nathan Mattise)
Apple on Monday previewed a variety of security and privacy features it plans to add to macOS and iOS operating systems, including encrypted Facetime group calls, password-management tools, and camera and microphone protecti…

(credit: Nathan Mattise)

Apple on Monday previewed a variety of security and privacy features it plans to add to macOS and iOS operating systems, including encrypted Facetime group calls, password-management tools, and camera and microphone protections. The company also released a beta version of the upcoming iOS 12 that, according to Motherboard, all but kills off two iPhone unlocking tools used by police forces around the world.

The feature, known as USB Restricted Mode, requires that users unlock their iPhone with a password when connecting to it a USB device. Motherboard said the beta requires a password each time a phone that hasn’t been unlocked in the past hour tries to connect to a device using a Lightning connection. The password requirement largely neutralizes iPhone unlocking tools provided by companies called Cellebrite and GrayShift, which reportedly use USB connectivity to bypass iOS restrictions on the number of incorrect PIN guesses can be entered into an unlocked iPhone. With those limitations removed, police can make an unlimited number of PIN guesses when attempting to unlock a confiscated iPhone.

Previous iOS betas had USB restrictions that required the entering of a password when it hadn’t been unlocked for seven days. Those USB Restricted Modes were later removed before Apple issued final versions of iOS. The restrictions this time around are much more stringent, because police would have no more than 60 minutes between the time they obtain an iPhone and connect it to an unlocking tool. Readers should remember that Apple has previously removed USB Restricted Mode before releasing final versions and may do so again with iOS 12.

Read 5 remaining paragraphs | Comments