Security through obscurity is not more secure. The fact that Apple doesn't use OpenSSL is actually more alarming since OpenSSL is a known entity that is constantly analyzed for security exploits. Perhaps they use another well known security library but their "press release" doesn't provide any useful information in that regard.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Confirms 'Heartbleed' Security Issue Did Not Affect Apple Software and 'Key Services'
- Thread starter MacRumors
- Start date
- Sort by reaction score
Security through obscurity is not more secure. The fact that Apple doesn't use OpenSSL is actually more alarming since OpenSSL is a known entity that is constantly analyzed for security exploits. Perhaps they use another well known security library but their "press release" doesn't provide any useful information in that regard.
The fact that you don't know what you're talking about is pretty hilarious, since Apple do use OpenSSL, but not the vulnerable version.
Riiiiggght. What do you have to support this claim other than being an Apple apologist?
Do you know why Apple services and products were not affected? Pure dumb luck.
Apple is just lazy - they keep their BSD subsystem ridiculously outdated:
Although 0.9.8y was released earlier this year, it was a minor point release for a major version of SSL originally released in 2005.
You say Apple is lazy. But maybe there is a reason why they didn't upgrade. Maybe they did a careful review of this version 0.9.8y. And they didn't want to switch to another version with another very careful review - which turned out to be the right decision.
That has got to be a joke. Not even your login page uses HTTPS. Which, just saying, is completely ridiculous in the year 2014.
Regardless of whether the NSA planted this bug or was previously exploited by them, I can almost guarantee the bug was indirectly exposed because of all the recent NSA news.
This was one of the NSA diagrams released
That smily face apparently made many Google employees furious... one of which later went of to find this bug in openssl.
Last edited:
Possibly. On the other hand, the Macs are the smartest computers around and most likely to achieve sentience first.
Except that I know from a large amount of experience the most common reason by far for outdated software is neglect.
There are a huge number of command line utils and libraries which would benefit users by being updated in OS X...
OpenGL anyone??
Except that the issue itself is unrelated to a particular OS.
Let's also not forget about this: https://www.macrumors.com/2014/02/23/apple-fixing-ssl-bug-other-apps-affected/
Windows is largely unaffected, too, including Azure (excepting Linux VMs which might have had the package installed).
It's just because Microsoft and Apple don't happen to use OpenSSL, which can be installed on a wide variety of platforms. This bug could have occurred in any system, frankly.
You must be getting dizzy from all that spinning!
So they did this careful investigation of OpenSSL, but didn't investigate their almost constantly exploitable versions of Java?
----------
Yep, and each and every one of those security researchers missed this bug.
Last edited:
Marketing fluff
Apple is bragging that they never included the 1.0.1 release of OpenSSL as if they carefully vetted the security of each library they include. In reality they're just behind on OpenSSL and by complete luck didn't get burned by this one. Mavericks shipped with 0.9.8y from last year. Nice spin from the PR guys, but they avoided this by chance only.
Apple is bragging that they never included the 1.0.1 release of OpenSSL as if they carefully vetted the security of each library they include. In reality they're just behind on OpenSSL and by complete luck didn't get burned by this one. Mavericks shipped with 0.9.8y from last year. Nice spin from the PR guys, but they avoided this by chance only.
Sorry, but when extremely talented developers from all over the world for many different operating systems missed this bug, I don't believe Apple was being cautious...
Debian Wheezy
Ubuntu 12.04.4 LTS
CentOS 6.5
Fedora 18
OpenBSD 5.3
FreeBSD 8.4
NetBSD 5.0.2
OpenSUSE 12.2
And others were vulnerable.
OpenBSD developers have a hard earned reputation for being security freaks...they even missed this.
Just to be safe, I went about changing my Apple IDs today (all 6 of them) and spent an hour trying to get em all done. Frustrated, I went and got 1password despite my reservations about the iOS app and was surprised by how easy it was.
Needless to say, it saved me a lot of trouble.
Needless to say, it saved me a lot of trouble.
As an expert in the field for 20 years, this bashing is ridiculous.
Many companies do not the latest and greatest intentionally. They don't upgrade unless there is a need. Don't fix what isn't broken. We are just now upgrading from Windows XP to Windows 7. It takes this long for all our internal software to be migrated and there to be a need.
This bug generally affects web servers and other applications using OpenSSL versions 1.0.1 through 1.0.1g. Apple's web servers used a previous version, 0.98. OpenSSL is just one of many components of Linux /unix that Apple uses. many of which are the latest versions, many of which aren't. Apple has a team which decides whether or not to use certain versions, and there is no need to use the latest if it has new features Apple doesn't use, or are bloated, or use too much system resources. Use the one that is better.
Apple might have gotten lucky on this, they might have been smart. Nobody but Apple internally knows. Apple just released a bulletin to let people know, because OS X IS Unix. It's necessary to say they aren't affected, just like if Red Hat wasn't affected, they would say so too.
----------
It's a web server thing, nothing to do with a web browser. If you've visited sites like Google, Yahoo, Amazon, your password or other information may have been compromised. 2/3rds of websites use the latest Apache web server, thus they were all affected.
It's probably important to note that anyone running a website on an affected systems which used an SSL certificate should be asking their SSL provider to revoke and reissue - this bug allowed private keys to be leaked.
----------
Right.. you're an expert in the field for 20 years and you can't read a standard CVE?
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
This has NOTHING to do with the version of Apache and everything to do with the version of SSL that Apache was compiled against.
How do I know? Because all week I have been managing a team which has been updating SSL and recompiling Apache on more than a thousand vulnerable servers.
----------
And it's not a "web server thing" - it's a "anything compiled against a vulnerable version of openssl" thing. Eg - DB, FTP, SMTP, POP, IMAP.
----------
Right.. you're an expert in the field for 20 years and you can't read a standard CVE?
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
This has NOTHING to do with the version of Apache and everything to do with the version of SSL that Apache was compiled against.
How do I know? Because all week I have been managing a team which has been updating SSL and recompiling Apache on more than a thousand vulnerable servers.
----------
And it's not a "web server thing" - it's a "anything compiled against a vulnerable version of openssl" thing. Eg - DB, FTP, SMTP, POP, IMAP.
This statement is proof that "Apple fans" who think they know what they're talking about, will be laughed at when confronted by a person who knows their stuff.
As said, this has nothing to do with OS X, iOS, Windows, or Android.
Seriously though, you really made yourself sound very naive.
The same people who scream and shout when Apple doesn't give them their fancy graphics by updating OpenGL are the ones now spouting nonense how wise Apple were for running a drastically outdated version of openssl.
Besides, their cause and effect are backwards - they are trying to imply that Apple steered clear of an updated version of openssl because it might contain bugs?
It is far more likely that this version of openssl was targeted because a high proportion of public-facing servers were running this version.
Last edited:
Well, there you go, felt like an accident
http://www.dailynewsen.com/breaking...eed-bug-says-it-was-an-accident-h2470359.html