苹果电脑错误代码43_苹果最臭名昭著的代码错误
苹果电脑错误代码43
‘Bug’, a term that makes most developers dread at night and the reason why they incessantly phase-out and stare into space when you’re talking to them. While that is both somewhat sad and true, the reality isn’t so bad. Bugs are identified all the time in software and are impossible to avoid, simply because we are humans and we make mistakes. Most of the
bugs are eliminated through rigorous software testing but some slip through the net. But the ones that do go viral are the silly but detrimental ones. One such bug was Apple’s infamous code bug, informally referred to as “goto fail” or
officially as “”.
“ Bug”这个词使⼤多数开发⼈员在晚上感到恐惧,这是他们在与他们交谈时不断淘汰并凝视太空的原因。 尽管这既有些可悲⼜是真实的,但事实并⾮如此糟糕。 错误始终在软件中被识别,并且由于我们是⼈类并且会犯错误,因此⽆法避免。 通过严格消除了⼤多数错误 软件测试,但有些漏⽹。 但是那些真正传播开来的病毒却是愚蠢但有害的。 苹果臭名昭著的代码错误就是其中⼀个错误,⾮正式地称为“goto fail ”,或正式称为“ ”。
The bug impaired Apple devices’ ability to verify the authenticity of the websites you visited. This meant that your iPhone could not tell the difference between your actual bank websites and an imposter.
该错误削弱了Apple设备验证您访问的⽹站的真实性的能⼒。 这意味着您的iPhone⽆法分辨实际银⾏⽹站和冒名顶替者之间的区别。SSL —计算机如何验证和信任Internet上的其他计算机 (SSL — How computers verify and trust other computers on the internet)
Before we understand what went wrong, we need to understand ‘SSL’ — Secure Sockets Layer: the mechanism which allows computers to trust and verify websites on the internet. Your browser does this for you every time and this is how it looks:
在我们了解出了什么问题之前,我们需要了解“ SSL”(安全套接字层):⼀种允许计算机信任和验证Internet上的⽹站的机制。 浏览器每次都会为您执⾏此操作,外观如下:
Image by Author: Komal Venkatesh Ganesan
图⽚作者:Komal Venkatesh Ganesan
These days, all websites use HTTPS(i.e, HTTP with SSL) to connect securely. That forces the website you visit to present a certificate to prove its authenticity. Your computer then verifies this against a set of pre-loaded keys in the browser to see if it was digitally “signed” by a certification body. This ‘’ utilises the math of . If that math works out and the certificate proves to be signed by one of the certificate authority(CA) keys in the browser — it gives you a green light and everything is hunky-dory. Nobody can sniff on your data or hijack your web-sessions.
如今,所有⽹站都使⽤HTTPS (即带有SSL的HTTP)进⾏安全连接。 这迫使您访问的⽹站出⽰证明其真实性的证书 。 然后,您的计算机会根据浏览器中的⼀组预加载密钥来对此进⾏验证,以查看其是否由认证机构进⾏了数字“ 签名 ”。 这种“ ”利⽤了的数学 。 如果该数学作品出来,该证书证明通过在浏览器的证书颁发机构(CA)键中的⼀个签名-它给你开了绿灯,⼀切都是没说的 。 没有⼈可以嗅探您的数据或劫持您的⽹络会话。
But when there is an imposter at the other end, your browser stops you. Here’s an example I created in python pretending to be server:
但是,当另⼀端冒名顶替时,您的浏览器将阻⽌您。 这是我在python中创建的⽰例,假装为服务器:
Image By Author: Komal Venkatesh Ganesan
图⽚作者:Komal Venkatesh Ganesan
The browser knows this because I don’t have a certificate signed by one of the authorities that the browser validates against. In fact, I signed the certificate myself saying, ‘I ’ (not the greatest of hacks), but SSL knows this and protects you from it. Notice — “self-signed root certificate”:
浏览器知道这⼀点,因为我没有由浏览器验证依据的机构之⼀签名的证书。 实际上,我⾃⼰在证书上签名 ,说“我是” (不
是最出⾊的⿊客),但是SSL知道这⼀点并保护您免受其攻击。 注意- “⾃签名根证书 ”:
Image By Author: Komal Venkatesh Ganesan
图⽚作者:Komal Venkatesh Ganesan
苹果的SSL验证码中断 (Apple’s SSL verification code breaks)
The bug in Apple’s code impaired this ability of your computer to perform certificate validation. The consequences were
detrimental because it broke the very fabric of trust and verification involved in using the internet safely from your device.
Apple代码中的错误削弱了计算机执⾏证书验证的能⼒。 结果是有害的,因为它破坏了从设备安全使⽤Internet所涉及的信任和验证的结
构。
The C language with the bug is shown below (simplified for brevity). Your iPhone/MAC calls this function every time you
visit a webpage and here’s what happened to it —
带有错误的C语⾔如下所⽰(为简洁起见已简化)。 每当您访问⽹页时,您的iPhone / MAC都会调⽤此功能,这是发⽣了什么事-
Image By Author: Komal Venkatesh Ganesan
图⽚作者:Komal Venkatesh Ganesan
So, this piece of code checked the authenticity of the website’s certificates. The process has a series of checks with
multiple ‘if’ statements. But strangely, you can see that there’s an extra one line of — “goto fail;”(marked in orange)
which became an unconditional statement. This is because it sits outside of the ‘if’ statement (C isn’t driven by
indentation like Python). In C, it meant that it always skipped over the lines that followed (marked in blue) and jumped to the
‘fail’ line at the bottom to return the variable ‘err’. So if ‘err’ variable was successful until that point, the entire
validation would succeed without ever having verified the additional checks(marked in blue).
因此,这段代码检查了⽹站证书的真实性。 该过程具有⼀系列带有多个'if'语句的检查。 但是奇怪的是,您会看到另外⼀⾏- “ goto失
败;” (以橙⾊标记)成为⽆条件声明。 这是因为它位于' if'语句之外( C不是像Python这样的缩进驱动的 )。 在C语⾔中,这意味着它总是
跳过后⾯的⾏(以蓝⾊标记),并跳到底部的“ fail”⾏以返回变量“ err ”。 因此,如果到那时为⽌' err'变量都是成功的,则整个验证将成
功,⽽⽆需验证额外的检查(蓝⾊标记)。
If you are screaming — “Use { } braces for if statements!”, you are right. We are not in the 80s anymore trying to save a
few bytes by avoiding braces on small .
如果您尖叫-“为if语句使⽤{}⼤括号!”,您是对的。在80年代,我们不再试图通过避免在⼩括号来节省⼀些字节。
In short, all Apple’s devices(iPhones, MACs, Tablets) lost the ability to perform SSL validation — the internet’s standard
defence against eavesdropping and web hijacking. This vulnerability was first published in mid-2014 in the Common
Vulnerabilities and Exposures database — .
总之 ,所有的苹果设备(iPhone⼿机,Mac,平板电脑) 不敌执⾏SSL验证的能⼒-防⽌窃听和⽹络劫持互联⽹的标准辩护 。 该漏洞于
2014年中⾸次发布在“ 常见漏洞和披露”数据库( 。
This was fixed by Apple in iOS 7.0.6 update:
此问题已由Apple在iOS 7.0.6更新中修复:
iOS 7.0.6Data Security Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later Impact: An attacker with a privileged network position may ca
On a side note, this bug applied only to SSL versions below TLS 1.2, and not TLS 1.2. However, the TLS version can be negotiated between computers and the remote server can choose TLS1.1 if it wishes to. So this meant that the vulnerability remained open.
另外,此错误仅适⽤于TLS 1.2以下的SSL版本,不适⽤于TLS 1.2 。 但是,可以在计算机之间协商TLS版本,并且如果愿意,远程服务器可以选择TLS1.1 。 因此,这意味着漏洞仍然处于打开状态。
python新手代码错了应该怎么改中间⼈袭击 (Man in the middle attack)
MITM (Man in the middle) attack was the most common exploit of the bug that allowed hackers to get in the middle and eavesdrop on all the traffic between you and the real website. This meant that they got just about everything from you —your passwords, credit card details, your location, etc.
MITM(中间⼈)攻击是对该漏洞最常见的利⽤,它使⿊客能够进⼊中间位置并窃听您与真实⽹站之间的所有流量。 这意味着他们⼏乎从您那⾥获得了所有东西-您的密码,信⽤卡详细信息,您的位置等。
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论