Tech —

iOS 5 now protects against DigiNotar, MD5-signed certs

Apple added a number of security patches to iOS 5, including revoking trust …

iOS 5, still slowly rolling out to users after its launch on Wednesday, not only brings new features—it also brings a number of important security fixes for iPhone, iPad, and iPod touch users. The update removes trust for any and all security certificates from hacked certificate authority DigiNotar, and drops support for certs with MD5 hashes and updates TLS to version 1.2 to improve security of SSL connections.

Dutch certificate authority DigiNotar was hacked in July by a hacker calling himself ComodoHacker, who used DigiNotar's servers to generate hundreds of fraudulent security certificates. Though the company had believed that it had deleted all of them from its servers, the company ended up missing at least one certificate. That particular certificate allowed the hacker to put his servers between Gmail users and Google's Gmail servers in order intercept e-mail from a number of Iranian citizens.

Once news of the hack spread, Mozilla, Google, Microsoft, and others issued patches that blacklisted all DigiNotar certs. Effectively, any server using a cert from DigiNotar would not be trusted. Apple took almost two weeks to issue a patch for Mac OS X, and it wasn't until today's iOS 5 update that iPhone, iPad, and iPod touch users received a similar patch.

According to Apple, the DigiNotar issue "is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted."

iOS 5 also adds two additional improvements to data security. Apple has removed support for X.509 certs signed using the MD5 hash algorithm, which has some known vulnerabilities. It also updates the TLS protocol to version 1.2, which addresses a potential man-in-the-middle attack when using otherwise trusted SSL connections.

Additionally, iOS 5 includes a number of patches for buffer overflows and other potential exploits in libxml, ImageIO, Unicode support, WebKit, and more. Full details are posted on Apple's website.

Channel Ars Technica