Glenn Fleishman
I got a bunch of interesting info about the Mac App Store cert situation, but it’s so technical, I’m not sure it’s worth explaining.
-
@gregminton@glennf argh, things keep happening too fast for me to post about them… :-/
Greg Minton
Rainer Brockerhoff
My take on the Mac App Store meltdown: http://brockerhoff.net/blog/2015/11/14/a-tale-of-two-certs/ …
Comments?
// @gregminton @glennf @mjtsai
-
-
@rbrockerhoff “so only very old apps would be affected by that”: unfortunately, some modern apps do, too! I don’t have a list. -
@glennf so, modern apps that use an outdated version of OpenSSL or some other library, then? -
@rbrockerhoff The word is an old version of OpenSSL. If you’re using the pre-1.0.0 chain, you can wind up w/o SHA-256 support, IIRC. -
@glennf hmm. Not up on the history, but it seems 1.0.0 came out in March 2010, so some people stayed on the 0.9.x branch because of APIs…? - View other replies
-
@rbrockerhoff Yeah, 1.0.0 wasn’t broadly supported for a long time b/c of how crappy OpenSSL was due to a lack of financial support. -
@glennf I use a very small subset of OpenSSL for cert/receipt checking and, frankly, didn't notice anything crappy beyond the major opacity. - View other replies
-
@rbrockerhoff I mean, it’s not the OpenSSL folks’ *fault*—they did what they could. 1.0 being better funded = better code -
@glennf I agree it's not their fault (nor really anyone's in particular). As I said, meltdown was a coincidence of several point failures. - Show more
-
-
-
@rbrockerhoff Thanks for this rundown! I need to tweak my story. The fragility is really something and the UI presentation of failure. -
@GlennF don't trust me too much either, better double-check and tell me. Will amend my comments on the OpenSSL aspect. -
@glennf …and, amended my comments, linking to your article.
-
-
-
RT because of timezones/weekend: My take on the Mac App Store meltdown: http://brockerhoff.net/blog/2015/11/14/a-tale-of-two-certs/ … Comments?
-
Again, RT because of timezones/weekend: My take on the Mac App Store meltdown: http://brockerhoff.net/blog/2015/11/14/a-tale-of-two-certs/ … Comments?”
-
-
@rbrockerhoff@gregminton@mjtsai Some apps use outdated SSL libs and couldn’t check the newly issued SHA-256 cert (from Sept) -
-
@rbrockerhoff Good post. I noted two other cases of Apple blaming developers. -
@mjtsai probably not Apple-as-corporate-person, but some clueless employee, one hopes... -
@rbrockerhoff Of course, because corporate wouldn’t go on record. Unclear whether employees were following training or not.
-
-
-
@rbrockerhoff Nice writeup. What about what Apple can do to prevent this in the future? -
@marczak update sample code, better docs — beyond that, depends on what really caused the "damaged" thing. We may never hear details. -
@rbrockerhoff Sure, but it wasn’t something that developers could have prevented. It’s 100% Apple’s fault. -
@marczak insofar as it's anyone's fault, it's Apple's, true. But, really, the meltdown was a coincidence of several point failures. -
@rbrockerhoff So, only Apple can do something to prevent this from happening again. It needs to be a learning experience for them.
-
Michael Tsai
Edward Marczak
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.