This morning I received the following alert on my iPhone (and yes, I do have 708 unread emails)
While the alert complained about the identity of "prc.apple.com", when I clicked on "Details", it referred to "instant.arubanetworks.com". Was the prc.apple.com certificate signed by arubanetworks?
I clicked on "More Details", and the following Subject Name and Issuer Name information popped up.
Scrolling down, I see the details of the signing algorithm: SHA-1.
Given that SHA-1 has been compromised (Announcing the first SHA1 collision), an untrusted certificate alert from a SHA-1 certificate had me concerned.
In the end, as is too often the case in security, I was left with lots of questions.
- Was there a verification problem with the "prc.apple.com" certificate or "instant.arubanetworks.com" certificate?
- Was the prc.apple.com certificate faked and signed with a bad instant.arubanetworks.com certificate?
- Was there a man-in-the-middle attack?
- Was Apple's software just buggy and in reality everything was fine?
- Was there a problem, but Apple's alert identified the wrong certificate that was having problems?
- What the heck Aruba? You are all about the IoT and you use SHA-1? Don't we already have enough troubles with IoT?