2023年11月28日发(作者:)

苹果电脑错误代码43_苹果最臭名昭著的代码错误

苹果电脑错误代码43

‘Bug’, a term that makes most developers dread at night and the reason why they incessantly phase-out and stare into

space when you’re talking to them. While that is both somewhat sad and true, the reality isn’t so bad. Bugs are identified

all the time in software and are impossible to avoid, simply because we are humans and we make mistakes. Most of the

bugs are eliminated through rigoroussoftware testing but some slip through the net. But the ones that do go viral are the

silly but detrimental ones. One such bug was Apple’s infamous code bug, informally referred to as “goto fail” or

officially as “”.

“ Bug”这个词使⼤多数开发⼈员在晚上感到恐惧,这是他们在与他们交谈时不断淘汰并凝视太空的原因。 尽管这既有些可悲⼜是真实

Image by Author: Komal Venkatesh Ganesan

图⽚作者:Komal Venkatesh Ganesan

These days, all websites use HTTPS(i.e, HTTP with SSL) to connect securely. That forces the website you visit to present a

certificate to prove its . Your computer then verifies this against a set of pre-loaded keys in the browser to see if

authenticity

it was digitally “signed” by a certification body. This ‘’ utilises the math of . If that math works out and the certificate

proves to be signed by one of the certificate authority(CA) keys in the browser — it gives you a green light and everything is

hunky-doryhijack

. Nobody can sniff on your data or your web-sessions.

如今,所有⽹站都使⽤HTTPS (即带有SSL的HTTP)进⾏安全连接。 这迫使您访问的⽹站出⽰证明其的证书 。 然后,您的计算机会

真实性

根据浏览器中的⼀组预加载密钥来对此进⾏验证,以查看其是否由认证机构进⾏了数字“ 签名 ”。 这种“ ”利⽤了的数学 。 如果该数学

作品出来,该证书证明通过在浏览器的证书颁发机构(CA)键中的⼀个签名-它给你开了绿灯,⼀切都是 。 没有⼈可以嗅探您的数据

没说的

您的⽹络会话。

劫持

But when there is an imposter at the other end, your browser stops you. Here’s an example I created in pretending

python

to be the server:

Image By Author: Komal Venkatesh Ganesan

图⽚作者:Komal Venkatesh Ganesan

The browser knows this because I don’t have a certificate signed by one of the authorities that the browser validates

against. In fact, I the certificate myself saying, ‘I am ’ (not the greatest of hacks), but SSL knows this

signed

and protects you from it. Notice — “self-signed root certificate”:

浏览器知道这⼀点,因为我没有由浏览器验证依据的机构之⼀签名的证书。 实际上,我⾃⼰在证书上 ,说“我是” (不

签名

是最出⾊的⿊客),但是SSL知道这⼀点并保护您免受其攻击。 注意- “⾃签名根证书 ”:

Image By Author: Komal Venkatesh Ganesan

图⽚作者:Komal Venkatesh Ganesan

Apple代码中的错误削弱了计算机执⾏证书验证的能⼒。 结果是有害的,因为它破坏了从设备安全使⽤Internet所涉及的信任和验证的结

构。

The C language with the bug is shown below (simplified for brevity). Your iPhone/MAC calls this function every time you

visit a webpage and here’s what happened to it —

带有错误的C语⾔如下所⽰(为简洁起见已简化)。 每当您访问⽹页时,您的iPhone / MAC都会调⽤此功能,这是发⽣了什么事-

Image By Author: Komal Venkatesh Ganesan

图⽚作者:Komal Venkatesh Ganesan

So, this piece of code checked the authenticity of the website’s certificates. The process has a series of checks with

multiple ‘if’ statements. But strangely, you can see that there’s an extra one line of — “goto fail;”(marked in orange)

which became an unconditional statement. This is because it sits outside of the ‘if’ statement (

C isn’t driven by

indentation like Python

). In C, it meant that it always skipped over the lines that followed (marked in blue) and jumped to the

‘fail’ line at the bottom to return the variable ‘err’. So if ‘err’ variable was successful until that point, the entire

validation would succeed without ever having verified the additional checks(marked in blue).

因此,这段代码检查了⽹站证书的真实性。 该过程具有⼀系列带有多个'if'语句的检查。 但是奇怪的是,您会看到另外⼀⾏- “ goto失

败;” (以橙⾊标记)成为⽆条件声明。 这是因为它位于' if'语句之外( )。 在C语⾔中,这意味着它总是

C不是像Python这样的缩进驱动的

跳过后⾯的⾏(以蓝⾊标记),并跳到底部的“ fail”⾏以返回变量“ err ”。 因此,如果到那时为⽌' err'变量都是成功的,则整个验证将成

On a side note, this bug applied only to versions below TLS 1.2, and not TLS 1.2. However, the TLS version can be

SSL

negotiated between computers and the remote server can choose TLS1.1 if it wishes to. So this meant that the vulnerability

remained open.

另外,此错误仅适⽤于TLS 1.2以下的版本,不适⽤于TLS 1.2 。 但是,可以在计算机之间协商TLS版本,并且如果愿意,远程服务

SSL

器可以选择TLS1.1 。 因此,这意味着漏洞仍然处于打开状态。

中间⼈袭击 (Man in the middle attack)

MITM (Man in the middle) attack was the most common exploit of the bug that allowed hackers to get in the middle and

eavesdrop

on all the traffic between you and the real website. This meant that they got just about everything from you —

Photo by on

在 上 照⽚

In cryptography and computer security, a man-in-the-middle attack is an attack where the attacker secretly relays and

回顾 (Retrospect)

‘To err is human’ — but that’s also why we follow processes in our life. We all make mistakes but the software

processes in place should have identified it.

“犯错是⼈的本能”-这也是我们遵循⽣活过程的原因。 我们都会犯错误,但是适当的软件过程应该已经识别出它。