mobile browsers user interface vs. security

I came across a curiosity the other day that I’m still not able to solve, but here you go…

Recently, when logging in to facebook, the following message appeared on my iPhone:

I thought… Ok, in light of all the recent hacks, maybe someone miraculously hacked my iPhone and is trying to steal my facebook details (not that they are worth anything, but anyway).

So I took an almost maiden iPad here in the office and tried the same thing again and came across this picture


I could not reproduce the same thing with any other device or browser. I tried IE, Firefox, Chrome on a PC, Android phone, … I could not reproduce this… On an iOS device, it doesn’t happen all the time, but I can fairly reliably reproduce…

With all the information I have, I am absolutely sure that this is the right certificate… I double checked all the details, including the serial number and the SHA-1 hash. This is definitely the correct certificate.

User Interface

But the real issue that I have is that there is no way in the world anyone can actually make sense of any of the presented information…

The world is abuzz at the moment with cloud offerings… more and more people will transact online… the traditional computer won’t exist anymore and we will only store things online if things go the way google pushes them.. But we can’t really solve the most basic security ┬áissues?

The right action to do is to block this as its impossible to ascertain whether this is the right site… (leaving aside the fact for the moment that it is the right site!!!)

For completeness, here are the screens that are visible when you click on “Details”.

And one iPad picture with the serial number and the signature

And lastly the confirmed correct certificate. (actually raises a good question: how do you undeniably confirm this?)

Does anyone know what’s happening here? Is this a bug in iOS? session-renegotiation?

One thought on “mobile browsers user interface vs. security”

  1. hat tip from Nick: As the SSL certificate itself is correct, the current theory is that facebook doesn’t provide all intermediate certificate authorities as part of the SSL handshake. If they are not in the system (which they are not for Apple Mac’s, so most likely they are not for iOS as well), the system tried to retrieves them from the internet. As the requests have been done over 3G in the train, these requests might have timed out, producing this error message.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>