苹果电脑错误代码43_苹果最臭名昭著的代码错误

苹果电脑错误代码43

‘Bug’, a term that makes most developers dread at night and the reason why they incessantly phase-out and stare into space when you’re talking to them. While that is both somewhat sad and true, the reality isn’t so bad. Bugs are identified all the time in software and are impossible to avoid, simply because we are humans and we make mistakes. Most of the bugs are eliminated through rigorous software testing but some slip through the net. But the ones that do go viral are the silly but detrimental ones. One such bug was Apple’s infamous code bug, informally referred to as “goto fail” or officially as “CVE-2014–1266”.

“ Bug”这个词使大多数开发人员在晚上感到恐惧，这是他们在与他们交谈时不断淘汰并凝视太空的原因。 尽管这既有些可悲又是真实的，但事实并非如此糟糕。 错误始终在软件中被识别，并且由于我们是人类并且会犯错误，因此无法避免。 通过严格消除了大多数错误 软件测试，但有些漏网。 但是那些真正传播开来的病毒却是愚蠢但有害的。 苹果臭名昭著的代码错误就是其中一个错误，非正式地称为“ goto fail ”，或正式称为“ CVE-2014–1266 ”。

The bug impaired Apple devices’ ability to verify the authenticity of the websites you visited. This meant that your iPhone could not tell the difference between your actual bank websites and an imposter.

该错误削弱了Apple设备验证您访问的网站的真实性的能力。 这意味着您的iPhone无法分辨实际银行网站和冒名顶替者之间的区别。

SSL —计算机如何验证和信任Internet上的其他计算机 (SSL — How computers verify and trust other computers on the internet)

Before we understand what went wrong, we need to understand ‘SSL’ — Secure Sockets Layer: the mechanism which allows computers to trust and verify websites on the internet. Your browser does this for you every time and this is how it looks:

在我们了解出了什么问题之前，我们需要了解“ SSL”(安全套接字层)：一种允许计算机信任和验证Internet上的网站的机制。 浏览器每次都会为您执行此操作，外观如下：

These days, all websites use HTTPS(i.e, HTTP with SSL) to connect securely. That forces the website you visit to present a certificate to prove its authenticity. Your computer then verifies this against a set of pre-loaded keys in the browser to see if it was digitally “signed” by a certification body. This ‘digital signature’ utilises the math of asymmetric cryptography. If that math works out and the certificate proves to be signed by one of the certificate authority(CA) keys in the browser — it gives you a green light and everything is hunky-dory. Nobody can sniff on your data or hijack your web-sessions.

如今，所有网站都使用HTTPS (即带有SSL的HTTP)进行安全连接。 这迫使您访问的网站出示证明其真实性的证书 。 然后，您的计算机会根据浏览器中的一组预加载密钥来对此进行验证，以查看其是否由认证机构进行了数字“ 签名 ”。 这种“ 数字签名 ”利用了非对称密码学的数学原理 。 如果该数学作品出来，该证书证明通过在浏览器的证书颁发机构(CA)键中的一个签名-它给你开了绿灯，一切都是没说的 。 没有人可以嗅探您的数据或劫持您的网络会话。

But when there is an imposter at the other end, your browser stops you. Here’s an example I created in python pretending to be the wikipedia.org server:

但是，当另一端冒名顶替时，您的浏览器将阻止您。 这是我在python中创建的示例，假装为wikipedia.org服务器：

The browser knows this because I don’t have a certificate signed by one of the authorities that the browser validates against. In fact, I signed the certificate myself saying, ‘I am wikipedia.org’ (not the greatest of hacks), but SSL knows this and protects you from it. Notice — “self-signed root certificate”:

浏览器知道这一点，因为我没有由浏览器验证依据的机构之一签名的证书。 实际上，我自己在证书上签名 ，说“我是wikipedia.org” (不是最出色的黑客)，但是SSL知道这一点并保护您免受其攻击。 注意- “自签名根证书 ”：

苹果的SSL验证码中断 (Apple’s SSL verification code breaks)

The bug in Apple’s code impaired this ability of your computer to perform certificate validation. The consequences were detrimental because it broke the very fabric of trust and verification involved in using the internet safely from your device.

Apple代码中的错误削弱了计算机执行证书验证的能力。 结果是有害的，因为它破坏了从设备安全使用Internet所涉及的信任和验证的结构。

The C language code with the bug is shown below (simplified for brevity). Your iPhone/MAC calls this function every time you visit a webpage and here’s what happened to it —

带有错误的C语言代码如下所示(为简洁起见已简化)。 每当您访问网页时，您的iPhone / MAC都会调用此功能，这是发生了什么事-

So, this piece of code checked the authenticity of the website’s certificates. The process has a series of checks with multiple ‘if’ statements. But strangely, you can see that there’s an extra one line of — “goto fail;”(marked in orange) which became an unconditional statement. This is because it sits outside of the ‘if’ statement (C isn’t driven by indentation like Python). In C, it meant that it always skipped over the lines that followed (marked in blue) and jumped to the ‘fail’ line at the bottom to return the variable ‘err’. So if ‘err’ variable was successful until that point, the entire validation would succeed without ever having verified the additional checks(marked in blue).

因此，这段代码检查了网站证书的真实性。 该过程具有一系列带有多个‘if’语句的检查。 但是奇怪的是，您会看到另外一行- “ goto失败；” (以橙色标记)成为无条件声明。 这是因为它位于’ if’语句之外( C不是像Python这样的缩进驱动的 )。 在C语言中，这意味着它总是跳过后面的行(以蓝色标记)，并跳到底部的“ fail”行以返回变量“ err ”。 因此，如果到那时为止’ err’变量都是成功的，则整个验证将成功，而无需验证额外的检查(蓝色标记)。

If you are screaming — “Use { } braces for if statements!”, you are right. We are not in the 80s anymore trying to save a few bytes by avoiding braces on small EPROM.

如果您尖叫-“为if语句使用{}大括号！”，您是对的。 在80年代，我们不再试图通过避免在小 EPROM上使用花 括号来节省一些字节 。

In short, all Apple’s devices(iPhones, MACs, Tablets) lost the ability to perform SSL validation — the internet’s standard defence against eavesdropping and web hijacking. This vulnerability was first published in mid-2014 in the Common Vulnerabilities and Exposures database — here.

总之 ，所有的苹果设备(iPhone手机，Mac，平板电脑) 不敌执行SSL验证的能力-防止窃听和网络劫持互联网的标准辩护 。 该漏洞于2014年中首次发布在“ 常见漏洞和披露”数据库( 此处)中 。

This was fixed by Apple in iOS 7.0.6 update:

此问题已由Apple在iOS 7.0.6更新中修复：

On a side note, this bug applied only to SSL versions below TLS 1.2, and not TLS 1.2. However, the TLS version can be negotiated between computers and the remote server can choose TLS1.1 if it wishes to. So this meant that the vulnerability remained open.

另外，此错误仅适用于TLS 1.2以下的SSL版本，不适用于TLS 1.2 。 但是，可以在计算机之间协商TLS版本，并且如果愿意，远程服务器可以选择TLS1.1 。 因此，这意味着漏洞仍然处于打开状态。

中间人袭击 (Man in the middle attack)

MITM (Man in the middle) attack was the most common exploit of the bug that allowed hackers to get in the middle and eavesdrop on all the traffic between you and the real website. This meant that they got just about everything from you — your passwords, credit card details, your location, etc.

MITM(中间人)攻击是对该漏洞最常见的利用，它使黑客能够进入中间位置并窃听您与真实网站之间的所有流量。 这意味着他们几乎从您那里获得了所有东西-您的密码，信用卡详细信息，您的位置等。

In cryptography and computer security, a man-in-the-middle attack is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.

在密码学和计算机安全中， 中间人攻击是一种攻击者，其中攻击者秘密中继并可能更改相信自己直接相互通信的两方之间的通信。

Wikipedia

维基百科

回顾 (Retrospect)

‘To err is human’ — but that’s also why we follow processes in our life. We all make mistakes but the software processes in place should have identified it.

“犯错是人的本能”-这也是我们遵循生活过程的原因。 我们都会犯错误，但是适当的软件过程应该已经识别出它。

• Why didn’t the unit tests catch it/p>

  为什么单元测试没有抓住它

• Why wasn’t there a peer code review/p>

  为什么没有同行代码审查

• Why didn’t the software testing process or automated tests catch it/p>

  为什么软件测试过程或自动化测试没有抓住它

• CICD pipelines run automated tests on software builds and deployments. Why didn’t that workp>

  CICD管道在软件构建和部署上运行自动化测试。 为什么没有用

While some code bugs are incredibly complex and subtle, there are also ones that are obvious and silly but do serious damage. Apple’s notorious “goto fail;” code bug was the latter, a reminder in both software and life, to test, test, test before launch.

尽管某些代码错误非常复杂和微妙，但也有一些显而易见，愚蠢但会造成严重损害的错误。 苹果臭名昭著的“失败”； 后者是代码错误，它在软件和生命中都具有提醒作用， 需要在启动之前进行测试，测试和测试 。

翻译自: https://medium.com/swlh/apples-most-notorious-code-bug-6478ebaea44f

苹果电脑错误代码43

文章知识点与官方知识档案匹配，可进一步学习相关知识Python入门技能树首页概览208561 人正在系统学习中 相关资源：iZotope Ozone VST (臭氧) V4.0.3.274 绿色汉化版.zip-制造工具类…

来源：weixin_26752759