Apple has told browser users to pay attention to warnings of insecure digital certificates after reports of a "man-in-the-middle" attack against iCloud.com in China was revealed earlier in the week.
But Apple's support document, which illustrated the alerts that Chrome, Firefox and Safari post when they have encountered a self-signed certificate, omitted the most popular browser used in the People's Republic of China (PRC): Microsoft's Internet Explorer (IE).
The omission wasn't a shocker: Apple narrowly couched the warning as solely aimed at iOS and OS X customers. "These attacks don't compromise iCloud servers, and they don't impact iCloud sign in on iOS devices or Macs running OS X Yosemite using the Safari browser," Apple said.
Still, Apple included images of what Chrome and Firefox showed their users after the browsers tried to connect to a site secured by a bogus certificate. Those browsers are available in editions for iOS (Chrome only) and on the Mac (Chrome and Firefox).
IE, a vestige of the 1997 Apple-Microsoft partnership, hasn't been supported on OS X since 2005, when the latter told users to "migrate to more recent web browsing technologies such as Apple's Safari."
But IE is widely used in China on Windows-powered PCs. According to Irish metrics firm StatCounter, 27% of the browsing activity in the PRC last month was on IE, second only to Chrome. Rival analytics company Net Applications, which measures things differently -- it tallies users, not page views -- regularly pegs IE as China's most popular browser by a large margin.
Like any browser, IE can connect to iCloud.com to manage storage space, use online versions of Apple's iWork productivity suite, add contacts and calendar entries, or view photos uploaded from an iPhone or iPad.
Apple published the warnings after reports surfaced in the PRC over the weekend of man-in-the-middle attacks targeting iCloud.com. Watchdog website GreatFire.org alleged that Chinese authorities were behind the attack -- the Party-controlled government heavily monitors and censors the Internet -- to steal usernames and passwords, probably as a way to continue to spy on citizens who were using the more-secure iPhone 6 and 6 Plus, and who had upgraded their Macs to OS X Yosemite, which during installation asks users to encrypt their hard drives.
Apple acknowledged the man-in-the-middle attacks -- which rely on squeezing into the online "conversation" between devices and website servers -- but did not name the PRC. "We're aware of intermittent organized network attacks using insecure certificates to obtain user information," Apple stated.
Earlier today, Apple CEO Tim Cook -- who is currently in China to press employee flesh after the Oct. 17 on-sale launch there of the iPhone 6 and iPhone 6 Plus -- met with Chinese Vice Premier Ma Kai in Beijing to discuss, among other things, security issues.
Also today, China's Foreign Ministry denied that the government was behind the iCloud.com attacks, and instead implied that the man-in-middle attacks had been conducted by rogue hackers, as opposed to those employed by authorities. " 'Wild guesses and malicious blemish' will not help solve cyber issues," a ministry spokeswoman said, according to the state-run Xinhua News Agency.
Like other top browsers, IE warns users when it encounters an insecure digital certificate. "The security certificate presented by this website was issued for a different website's address," IE cautions users. "Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server."
"If users get an invalid certificate warning in their browser while visiting www.icloud.com, they should pay attention to the warning and not proceed," Apple advised. "Users should never enter their Apple ID or password into a website that presents a certificate warning."