This is a pretty big deal. It means that an attacker could intercept communications from an iPhone that was meant to be encrypted. Let’s say the attacker had access to the same network over an unsecured WiFi connection in a coffee shop or restaurant. He could impersonate a protected site such as Facebook or Gmail and alter any data passed between the iPhone and the site. The worse news for Apple is the its desktop operating system, OS X, is perhaps even more exposed to attack.
Given the severity of the potential damage, Apple has taken a low-key approach to notifying users of the harm to which they are exposed. The company has pushed a patch to iPhone users, but the company’s note says only, “This security update provides a fix for SSL connection verification,” and contains a link to a page on Apple’s support site. The update gives no sense of urgency about installing the patch.
This has to be embarrassing for Apple. SSL (secure socket layer) has been around for about 20 years and implementing it properly should be a no-brainer for a company like Apple. Perhaps that is why the company’s response has been so low-key.