I thought these comments on Slashdot made good points:
http://apple.slashdot.org/comments.pl?sid=8620863&cid=51309773:
“Its working exactly as its supposed to. Its not meant to stop
everything, its just a whitelisting system with some authentication
built it.
Blacklisting the offending apps is exactly how this type of system
works.
Anything signed by a valid cert which has been signed by Apple's cert is
trusted by default. Thats what having an Apple signature on top of the
publisher signature means. This also means the applications are 'tamper
proof' in theory, because changing the application invalidates the sig
and the code no longer is whitelisted, so no virus will work.
The system then keeps a CRL, Certificate Revocation List. This list is
... blacklisted fingerprints. That is, certs or specific apps that were
not known to be compromised or malicious when Apple originally vetted
them, but something became known to be compromised after that process.
The CRL list means Apple can effectively change its mind about apps that
it previously approved.
This is all it is intended to do, and that alone mitigates a metric
fuckton of exploit cases.
Doesn't prevent apps that don't get caught in review. But you won't get
more than one or two malicious apps past them before you're completely
cut off from getting certs ever again. Vendors outside the AppStore will
have their certs revoked when exposed in the wild.
At no point was it intended to prevent every single exploit vector ever.
You're pretty ignorant of how this stuff works if you think they ever
said it was the cure all to security issues.
All it does is adds a layer of control to who can run arbitrary code on
your system, and by default, allows Apple to give people permission to
do so. You can also use your own certs and remove the AppStore cert,
effectively making it so only apps signed with your cert will run on the
machine ... or in the case of some companies, the company's cert is the
only thing that runs on the machine.”
http://apple.slashdot.org/comments.pl?sid=8620863&cid=51310823:
“Indeed, the first thing I thought when reading this was, "What
underlying issue? Blacklisting him is exactly how it's supposed to
work."
Apps from trusted sources are supposed to be able to do pretty much
anything they want until they prove they're not to be trusted. That's by
design. And, inevitably, some developers will abuse that trust, which is
why the design includes a means for the revocation of trust. Which is
exactly what happened here.
Yes, he's shown that trusted devs can include external code that's
malicious. So what? Trusted devs can also include internal code that's
malicious. Either way, their certs will be revoked and the problem will
go away. The primary benefit I can see is that this lets malware
developers move their malicious code out of the bundle that goes through
the App Store review process, but that's a marginal benefit at best,
since the default Gatekeeper setting doesn't require apps to have gone
through that process anyway.”
Scott
--
R. Scott Granneman
sc...@granneman.com ~ www.granneman.com
Contact info: granneman.tel
“When a man tells you that he got rich through hard work, ask him:
‘Whose?’”
---Don Marquis
On 18 Jan 2016, at 10:17, Mike B. wrote:
http://www.seosuf.com/tech/mac-users-vulnerable-to-malware-as-gatekeeper-security-hole-not-yet-fixed-four-months-after-discovery/
--
--
Central West End Linux Users Group (via Google Groups)
Main page: http://www.cwelug.org
To post: cwelug@googlegroups.com
To subscribe: cwelug-subscr...@googlegroups.com
To unsubscribe: cwelug-unsubscr...@googlegroups.com
More options: http://groups.google.com/group/cwelug
---
You received this message because you are subscribed to the Google
Groups "Central West End Linux Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to cwelug+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
--
Central West End Linux Users Group (via Google Groups)
Main page: http://www.cwelug.org
To post: cwelug@googlegroups.com
To subscribe: cwelug-subscr...@googlegroups.com
To unsubscribe: cwelug-unsubscr...@googlegroups.com
More options: http://groups.google.com/group/cwelug
---
You received this message because you are subscribed to the Google Groups "Central West End Linux Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cwelug+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
