Cenzic 232 Patent
Paid Advertising
web application security lab

iPhone SSL Warning and Safari Phishing

As some of you may have noticed, there’s a lot more going on in the SSL world and a lot more to come thanks to guys like Mike Zusman, Alex Sotirov Moxie Marlinspike and so on… Papers forthcoming, but in the mean time I thought I’d point out a pretty nasty UI issue with the iPhone, since it’s been something I’ve been meaning to post about for a while. Given the rise in mobile computing as a legitimate way to do business, I think this kind of thing is going to become more important. If an attacker can gain MITM access through a public wifi that the iPhone is using, they can intercept a page that the user normally uses and trusts somewhat, but doesn’t necessary trust with any sensitive data (like a blog or forum that they frequently visit for instance).

What you’re seeing is a 1×1 pixel iframe (doesn’t need to be visible, but it’s good for testing purposes) to https://www.bofa.com/ which uses an invalid certificate. Don’t ask me why one of the largest banks on earth can’t get their certs in order - that’s just the way it is. Anyway, let’s pretend instead of it being incredible sloppiness, it’s actually a MITM. The user is presented with a popup that in no way explains to them what the cert they are accepting is for. So their first instinct would be to accept it, because they aren’t going to be putting any sensitive information into the page anyway. The problem is that the cert stays with the browser session - so it will continue to work, when the user does eventually surf to their bank or whatever SSL page you’ve MITM’d.

Compare that to the desktop version of Safari, where it at least tells you that it’s related to www.bofa.com. Still not the greatest visual cue but it’s something. Incidentally, during this testing I messed around with some of the old tricks and found out that that Safari still suffers from the old URL obfuscation tricks of ages past. Eg: http://www.bofa.com@ha.ckers.org/. *sigh*

8 Responses to “iPhone SSL Warning and Safari Phishing”

  1. Nathan Says:

    No suprise here, Google Chrome suffers from the URL obfuscation trick too.

  2. Rafal Los Says:

    Interestingly enough… I’m not sure if this is by design or what but…

    https://BofA.com produces an error message about the redirect, but the URL stays “http://bofa.com”; however… going to http://BofA.com immediately re-directs you to https://www.bankofamerica.com

    Interesting… am I missing something or is there a break somewhere here?

  3. Beau Says:

    You have a similar problem (at least with Exchange integration) if you use a certificate that’s from a CA like GoDaddy (or self-signed). It just tells you there’s a problem verifying it but doesn’t tell you what that is.

  4. LonerVamp Says:

    As far as the usefulness of the initial warning, IE7 says nothing useful as well. But hey, thanks for rendering a full page to do that!

  5. Sid Says:

    There are lots of UI design decisions that get messed up when you have a small screen to work with:

    http://blog.sidstamm.com/2008/03/iphones-ambiguous-http-auth.html

    Unfortunately it seems the mobile Safari developers are assuming users don’t care about the identity of sites that are either sending certs or asking for your password…

  6. RSnake Says:

    The funny thing is that in the desktop version of Safari the default is to “continue” while on the mobile device the default is to “cancel”. Clearly not well thought through. :(

  7. Zac B Says:

    Sorry… but the first thing I thought of when I saw the graphic was: Does AT&T’s coverage suck or what.

    However, in regards to the *actual* problem… well… actually, I couldn’t care less… I don’t support or use the iPhone.

    But if that ever changes, well… since I’ll never, ever, EVER get the user to use the pinky gray stuff keeping the wind from whistling as it travels between their ears I truly doubt that even if this was corrected that it would stop the user from accepting a bad cert anyway.

    After all: clickity, clickity, clickity click… that is what the user has been trained to do right?

  8. Marco Ramilli Says:

    I’ve already discovered this bug some time ago:
    http://marcoramilli.blogspot.com/2008/02/discovering-potential-vulnerabilities.html
    I told to Apple, but it said “Thank you man” and nothing more :(