OS X El Capitan is a Buggy One, So What Can an App Developer Do?
Are you excited for OS X El Capitan, or are you nervous? If you are a developer or ops team for a web application, or dealing with any certificate authorities at all, the release of OS X El Capitan will have you in a panic if you do not address your 512-bit encryption certifications right now.
I have been using OS X El Capitan and iOS 9 for a while now — on my production machines, no less. Not a great idea, but I can’t help it.
Anyway, this is one of the most buggy releases Apple has put out, in my opinion, mostly because of the backward compatibility of existing applications versus the OS directly. Both operating systems — OS X El Capitan and iOS 9 — are tight. But try to run Chrome, or other applications that have a high amount of connectivity to the Web, and you will get crashes and warnings all over the place.
Why? The reason is simple: Apple no longer supports SSL certificates that are are less than 1024-bit over protocols secure Web (HTTPS), enterprise Wi-Fi (802.1X), secure e-mail (IMAP, POP, SMTP), printing servers (IPPS), etc. Here are the release notes for OS X v10.11 and iOS 9.
When these applications connect, you either get warnings in Safari, nice invalid certification indications in Chrome, or impeded application functionality entirely. As a result, I realized that a lot of application certificates are not 1024-bit or higher.
To add insult to injury, around the same time of the Apple Developer beta launch, Google released an update to Chrome which also flags sites with certificates issued by authorities that do not have public audit records. This is a somewhat philosophical problem versus a technical one, but still not pretty. This forces certificate authorities (CA) to disclose who they give certificates to — which does help ween out hackers who are phishing behind fake security.
I agree with both the changes. Disruptions like this are never fun, especially for operations and tech support teams. But they are a necessary move due to the ever more advanced hacking capabilities out there. The RSA Factoring Challenge proves that even as far back as 2009, 768-bit encryption and lower was factored, and essentially proven hackable. As the effort required decreases, the frequency of such hacks will increase.
Fixing web application encryptions and authorities is relatively easy. Update your certificate, or change authority, let it propagate, done. But when the encryption is in the end-points of your APIs, which client applications are using, it is a bigger problem. In this case, your application will likely produce an error, or crash altogether based on an unhandled exception.
This can be seen with Skype and VMware Fusion update clients. Which makes me wonder if the next round of updates, if you were silly enough to use the beta like me, will have to be manual. Beyond update clients, it has impacted productivity tools like LogMeIn and Box Sync, as well. Clients whose business users are already up-and-running might receive an unpleasant surprise or email after the OS update.
With iOS 9 beta the behavior is similar. I’ve noticed it with a few applications of mine, including Cirrus Insight and Bill.com.
Vendors will have a few months to correct these concerns, by issuing automatic updates for those who did not grab the beta. But I think there will be a residual impact of customers asking more questions — Was my machine exposed? Are my enterprise documents secure? Were they not secure before? — which could impact customer faith in products, even if the issue is as simple as a CA that does not have public records. Or connection security being different than content transport encryption. Some vendors will be able to correct these issues silently, if they act quickly.
In case you were worried, Minecraft and Steam are still working. That is all that matters for me right now.
If your application is facing the same problem: address it now, or feel the pain in a few months. In the best case scenario, your customers will get suspicious (not something you want to field). In the worst case scenario, your application will start crashing when it tries to negotiate a connection between the client and your cloud service.
Author’s Disclosure: Box is a customer of mine; my opinions here are my own.