Sunday, September 05, 2010

DONT BUY CHEAP SSL CERTIFICATES FROM GODADDY!! [Updated]

Update 6/09/2010

Well looks like i was wrong. The actual problem was that the intermediate certificate had not been installed on the remote server. Sorry, Go Daddy. I would like to thank vincent who suggested this, and the GoDaddy representative on twitter @godaddy.

In my defense (Read: covering my ass) i didn't setup up the server, so i assumed that it had been done correctly.

On the upside it's working now :)

Synopsis
Don't buy cheap SSL certificates from GoDaddy if you plan to use them with the iPhone (read DON'T BUY THEM EVA). GoDaddy doesn't use a Root Certificate Authority that is validated by iOS.

How i found this out
For my latest iOS app i was working with in collaboration with some other developers that were building the server backend for the app. Like all good programmers we agreed that communications between the devices and the remote servers should be performed over SSL.

After shipping a beta to my clients, the backend team reported that they didn't have any traces of my app in their server logs. This was strange as i was using my favourite ASIHTTPRequest library. I've used it countless times, so i was fairly sure that i wasn't making a mistake, but logs don't lie.

When stuff like this happens, my first instinct is to grab wireshark, and see whats happening on the wire. Now any 12 year old hacker will tell that you can't sniff SSL traffic, so i made my requests over plain old HTTP. I confirmed that the requests reached the server, were processed and a 200 response was returned. I reported my findings to the backend team, and shipped them a new beta with logging enabled so they could see that i wasn't a complete retard...

And this is where if got strange, they responded that they saw my application report the requests and their failure, but stranger still their log messages where blank. Usually an Apache log entry contains the URL requested, along with a user agent, not this time, there was only a timestamp. After enabling Debug mode on the server, it reported that the connection had been aborted partway through the SSL handshake (1st Clue)

With that obvious clue, i completely ignored that, and used NSURLConnection to make my request instead of ASIHTTPRequest. However my requests over SSL where still failing, returning a nil NSURLResponse object.

The answer (as always) lay embedded in the [NSError localizedDescription]

The certificate for this server is invalid. You might be connecting to a server that is pretending to be “REDACTED.com” which could put your confidential information at risk., NSUnderlyingError=0x2f8c30

So i checked the certificate ... It was of course valid for another year. Ok that was weird. So i googled the error number "NSURLError 1202". It led me to a page on the Facebook developer forums

This error code is know in the iOS world as

NSURLErrorServerCertificateUntrusted

On the page, they mention the phase "trusted root certificate authority", something that i've learnt about from Steve Gibson & Leo Laporte on Security Now.

So i decided to find out the name of the servers root authority, it was a company called valicert.com.
The great folks (you guys better approve this app!!) at Apple have published a list of trusted root certificates and guess what ladies and gents (Drum roll) valicert.com is not there.

Sure enough visiting the URL in the browser presented me a dialog asking me if i wanted to proceed with a untrusted certificate. Now while i can press yes, any user using my application would have to do the same thing, Not a good user experience anyway you swing it.  Hence the headline. The solution is to  splash the cash, and use a more widely recognised authority.

On the flip side this is a massive win for Apple, as it means you gotta use most of the money (that you don't share with me) you've been stealing from peoples accounts using that botnet to purchase your certificate, and fake business address. But seriously hats off to Apple, this should help keep the amount of spoofing on the iPhone to a minimum, well if they fix all the buffer overflows first ...

Hopefully i've saved someones nightmare.
Jonathan

7 comments:

Vincent said...

Go Daddy is one of the largest SSL vendors these days. Their root is indeed valicert, which IS in the list you link to. And they're definitely recognized by iOS.

There is a certificate in the middle, valicert -> Go Daddy -> you. The error likely means that you don't have the Go Daddy intermediary certificate installed correctly on your web server.

Depending on whether you chose Go Daddy or Starfield, it's gd_bundle.crt or sf_bundle.crt from: https://certs.godaddy.com/anonymous/repository.seam

Veritech said...

I don't think the page loaded properly when i wrote this, as i did "ctrl+f" search on the page for the root authority and found nothing.

However on visiting the a second time i agree with you that the valicert with a matching signature is on the list, so you are correct on that point.

My question to you is, if the intermediate certificate wasn't installed on the server, how comes i am not warned when visiting on a desktop browser?

Arnie said...

If you do decide to get your SSL certificate from GoDaddy then using one of the following coupon codes will save you money:

GROUCHSSL = $12.99 standard SSL certificates (normally $24.99-$49.99)
EMMASSL = $12.99 standard SSL certificates (normally $24.99-$49.99)
MTECHSSL – standard SSL certificates just $12.99 (normally $24.99-$49.99)

Cheap SSL Certificate said...

Go Daddy is a leading provider of SSL in those days. Its root is in fact valicert, which is in the list has been connected. And they are certainly recognized by the IOS.

Cheap SSL said...

Nowadays E-Commerce must need SSL Certificate so how to find Cheap SSL is the frequently asked by website owners. I think they may find cheap ssl certificate from ClickSSL.com

ssl247.com said...

Thanks for the warning, I was about to buy an SSL certificate from GoDaddy for the iPhone but I thought I'd do a bit of background research first which led me to this post. I'm glad I decided to do some research otherwise I wouldn't have found this out, thanks again for the warning.

MyCheapSSL said...

You may buy a valid SSL Certificates at cheapest rates from here.

We are providing all kind of SSL certificates from the vendors like VeriSign, GeoTrust, RapidSSL, Thwate.

http://www.mycheapssl.com