Apple acknowledged this at the time as something it would fix in the future, although it said it hadn't had any accounts of phishing that relied on this approach. The ability to refresh a mail message has been removed in both iOS 8.4 and in the Yosemite 10.10.4 update.
The tricky issue of a Chinese certificate authority
In March, Google revealed that CNNIC, a Chinese agency that handles the root .cn domain and acts as a certificate authority (CA) for issuing digital credentials for secure web connections, had violated the rules for CAs included in the root trust stores of the major operating system makers and browsers. Its action, in short, allowed a third party to create certificates that would let it spoof any secure website in the world. Fortunately, Google and others monitor for this, and an alarm went off.
Google and Mozilla, the makers of the Firefox browser, quickly reacted. CNNIC was kicked out of the trusted list of CAs for Android, Chrome, Chrome OS, Firefox, Firefox OS, and Thunderbird. Microsoft removed only the certificate issued by CNNIC against the rules. Apple to date had done nothing. I noted in late April that Apple and Microsoft's extensive dealings in China may have lead to an uncomfortable situation that put Apple at odds with its commitment to customer security and privacy.
In today's OS X and iOS updates, Apple remedies this problem. While it downplays CNNIC's behavior — "an intermediate certificate was incorrectly issued by the certificate authority CNNIC" — it's added a new mechanism called the "security partial trust allow list." This lets Apple only accept a subset of certificates from a given certificate authority, rather than all certificates that the CA signed off on.
Apple's revised Trust Store, its set of trusted root CAs, now excludes certificates that CNNIC produced after its "incorrect" event. By disallowing only newer certificates, Apple prevents its Chinese customers and those connecting to Chinese sites from outside the country from receiving security error messages. Sites backed by newly issued certificates will now fail in Firefox, Android, Chrome, and Safari browsers, but not Internet Explorer, according to Microsoft's last actions.
(I'll have more details on this, the Trust Store webpages, and what you can do in OS X in this week's Private I column.)
Downgraded encryption keys
Apple also patched an obscure but problematic encryption issue known for months in which a malicious party that could insert itself into a connection and intercept a secure negotiation for an encryption session — for email and websites typically — could force a browser or server to downgrade to an outdated encryption algorithm that can be broken.
Sign up for CIO Asia eNewsletters.