Apple joins the rush to kill off outdated crypto
It’s been more than four years since legendary cypherpunk Moxie Marlinspike released a tool that made cracking the point-to-point tunneling protocol for virtual private networks a trivial endeavor.
ChapCrack was released at DefCon in 2012 — and that was 14 years after grandaddy crypto-hacker Bruce Schneier showed how Microsoft’s implementation of the protocol could be broken — but PPTP has lingered.
Now Apple’s latest operating system upgrades — Mac OS Sierra and iOS 10 — “will remove PPTP connections from any VPN profile when a user upgrades their device,” the company said in a blog post.
iOS 10 was released publicly on Tuesday, and OS Sierra is slated for release next week.
According to an Apple advisory for system administrators, the updates also deprecate the Secure Sockets Layer, or SSL, v3 cryptographic protocol and the RC4 symmetric cipher suite — both long considered outdated and insecure forms of encryption.
“It amazes me when I visit [a potential customer] and they tell me, ‘No, we’re good, we have SSL.’ It’s just not secure,” Eric Green, security strategist for Cyber adAPT, told Cyberscoop.
RC4 was developed nearly 30 years ago and can be brute forced without difficulty. Last year, the Internet Engineering Task Force forbade its further use in Transport Layer Security, or TLS, the encryption protocol widely used in e-commerce.
SSLv3 has been supplanted by TLS. It too was prohibited — even as a fallback — by the IETF last year.
Google dropped its support for email clients using SSLv3 and RC4 in June. Last month, Microsoft’s Edge and Internet Explorer 11 browsers disabled RC4. Chrome and Firefox haven’t used it for months.