What Apple’s SSL bug means to you

On Friday it was revealed that Apple has a very serious flaw in iOS 6, iOS 7, and Mac OS X 10.9.x.

You should stop what you are doing and update iOS now. Agile Bits has a good explanation on how to do this here:

1Password is not affected by the SSL bug (http://tinyurl.com/mxhj2vh)

As of this writing (Sunday night, February 23rd) Apple does not have a patch for OS X 10.9 Mavericks, but as said that one will come “very soon.” You can get that update by choosing “Software Update…” from the Apple menu. 10.8 and earlier do not appear to have this flaw.

To test your system, use gotofail.com

What’s the issue?

When your computer connects to the Internet and asks for a secure connection, it does so using one of several protocols. Secure Socket Layer (SSL) is one of them. When the data comes back, the operating system does checks to make sure everything is proper.

Sometime in 2012, Apple checked in some broken code. The code had an extra line that caused the software to always skip a check and consider the answer good. Now if someone has control over a privileged portion of the network you are communicating on, they can intercept the data and lie to iOS or OS X. Because of the bug, the lie will not be caught and your data will be improperly encrypted.

So someone who has taken control of a coffee shop’s wifi router, or a rogue employee at an ISP, or a hacker who has taken over a router somewhere, can listen to the traffic from Safari, iMessage, iCal, Mail, etc.

Chrome and Firefox are not afflicted because they do not use Apple’s code for SSL.

This is a really big deal. You are encouraged to not use a network you do not trust until Apple patches OS X. Apple has already patched iOS 6 and 7, but not OS X.

iOS 5 is not affected.

For more reading, check out Imperial Violet

Apple needs to be held accountable somehow. Depending on how much tin is in your hat, this bug is either a plain bug that was not caught because Apple lacks code review and unit testing practices, or they added it for the NSA, or a rogue NSA employee added it. That does not matter, this is the most trusted of code and it should never fail like this for so long.