The X.509 certificate-trust implementation in Apple iOS prior to 9.1 does not recognize that the kSecRevocationRequirePositiveResponse flag implies a revocation-checking requirement, which makes it easier for man-in-the-middle malicious users to spoof endpoints by leveraging access to a revoked certificate.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apple iphone os |
||
apple watchos |