14 DAY TRIAL // Following the recent attacks against iCloud users from China, Apple issued a security warning, ensuring that the incidents did not impact the iCloud sign-in process if the action was done from Apple products.
On Monday, news broke about the Chinese government orchestrating a nation-wide man-in-the-middle attack against its citizens through China Telecom and China Unicom Internet providers, trying to harvest their log-in credentials for Apple’s iCloud storage service.
Apple confirms use of insecure certificate
Trying to connect to iCloud through Firefox and Chrome browsers would trigger a warning about a dangerous page lying ahead. This would happen because users were redirected to a phishing page impersonating the original iCloud log-in and a fraudulent certificate was used to trick visitors into believing that the connection is secure.
No such warning was delivered in Qihoo, however, the most popular web browser in China, putting users at risk of losing their iCloud credentials.
Apple confirmed the attacks and the fact that an insecure certificate had been employed, and advised users not to dismiss any browser warnings regarding the security of the content exchanged through the accessed page.
Apple servers not impacted, traffic has to be encrypted
The company also assured that the data centers had not been compromised. “These attacks don't compromise iCloud servers, and they don't impact iCloud sign in on iOS devices or Macs running OS X Yosemite using the Safari browser,” an official announcement on Tuesday said.
Relying on Chrome and Firefox to detect an insecure digital certificate for a web page has the same effect, regardless of the operating system employed; the most important thing is not to disregard the alert and refrain from accessing the suspicious page or providing the Apple ID credentials.
“To verify that they are connected to the authentic iCloud website, users can check the contents of the digital certificate as shown below for Safari, Chrome, and Firefox—each of which provides both certificate information and warnings,” the post read.
Connection to the iCloud log-in page should always be protected through encryption; any sign of insecurity is to be taken seriously.
Users can also protect access to their private information on Apple’s data centers by enabling two-factor authentication (2FA), a security feature that requires a second verification code to be entered, apart from the username and password.
The 2FA code is delivered to a device selected by the true owner of the account, most often the mobile phone. It acts as a one-time-password (OTP), which expires after a brief period of time, sufficiently large to allow signing into the service.