But to say that "66% of the Internet" is affected is actually quite a bit of an exaggeration. It might well be 66% of the web sites using SSL, but even it was 100%, that still would not be "66% of the Internet."
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Confirms 'Heartbleed' Security Issue Did Not Affect Apple Software and 'Key Services'
- Thread starter MacRumors
- Start date
- Sort by reaction score
But to say that "66% of the Internet" is affected is actually quite a bit of an exaggeration. It might well be 66% of the web sites using SSL, but even it was 100%, that still would not be "66% of the Internet."
It seems only Android 4.1.1 version is effected per their blog http://googleonlinesecurity.blogspot.com/2014/04/google-services-updated-to-address.html
Also those using OS X should go to Keychain Access->Preferences->Certificates and hold down option key and change OCSP and CRL to "require for all certificates" and Priority to "require both" so that you don't accidentally visit sites with revoked certificates when browsing with Safari. This only works on Safari, but there is a way to enable it for Chrome. Seems Firefox 28 doesn't have this option. This can cause error "OSCP service unavailable" with some sites, notably American Express.
----------
I heard it's more like 18-20% because heartbeat function can be turned off and that 66% includes OpenSSL versions not affected by Heartbleed bug.
Also those using OS X should go to Keychain Access->Preferences->Certificates and hold down option key and change OCSP and CRL to "require for all certificates" and Priority to "require both" so that you don't accidentally visit sites with revoked certificates when browsing with Safari. This only works on Safari, but there is a way to enable it for Chrome. Seems Firefox 28 doesn't have this option. This can cause error "OSCP service unavailable" with some sites, notably American Express.
----------
I heard it's more like 18-20% because heartbeat function can be turned off and that 66% includes OpenSSL versions not affected by Heartbleed bug.
You realize that Mac OS X is based off of linux as well... but they stuck to version OpenSSL 0.9.8y
OSX is based on BSD Unix, not Linux.
----------
Can you explain why this helps?
Well, there you go, felt like an accidenthttp://www.dailynewsen.com/breaking...eed-bug-says-it-was-an-accident-h2470359.html
http://www.robin-seggelmann.de/
Ohh, the irony, it hurts
No. This vulnerability is primarily aimed at web servers, so its a website/service owner that'll determine whether or not they're vulnerable. Most updated shortly after the bug was found. You can attack clients with it, but it involves far more work, requires good timing, and requires additional information which attackers generally can't get.
Banks generally haven't used OpenSSL, Microsoft doesn't use OpenSSL, and its quite probable Google used their own SSL implementation for their servers. Same story with Apple.
With the exception of Yahoo, its generally smaller websites and services you have to worry about. The Verge, ArsTechnica, Anandtech, etc. Macrumors would probably be vulnerable, but SSL isn't used to begin with.
OS X is not based on Linux, but it shares similar roots as Linux. It's based off of FreeBSD and UNIX, among other bits and pieces of things.
Source?
Google and Apple both make extensive use of Linux and I can have first-hand knowledge of a large financial organisation being affected by this (for obvious reasons I cannot be more specific).
The primary danger of this incident is that server certificates/keys were stolen.
That allows attackers to perfectly impersonate a site; making the browser say with the little key lock icon "Connection is secure, site is verified and trusted".
I gotta say, the way Apple phrased it does sound very braggish. Especially when compared to Microsoft's announcement on the issue.
Well, there you go, felt like an accident
http://www.smh.com.au/digital-life/...void-heartbleed-heartache-20140410-zqswp.html
Beer destroyed the interwebs??
Microsoft uses their own SSL stack, both in client and server software. Banks don't use OpenSSL because they require (often by law) for there to be accountability for the purposes of suing. OpenSSL obviously can't provide that, but others such as Microsoft can. It can of course vary by country - but OpenSSL cannot by law be used here at least because it does not fulfil all legal requirements placed on banking institutions.
Google weren't vulnerable when attempts were made after the news broke, but they are also large enough to have their own SSL implementation, which makes particularly much sense since their business is heavily on service/web hosting. Internal custom solutions are not uncommon to handle your own environment.
Spinning? I'm trying to educate you. But I doubt you would want to listen, don't want your preconceived ideas to be challenged, do you?
Java is owned by Oracle. Any Java version on MacOS X in recent years is provided to you by Oracle. Has nothing to do with Apple. All that Apple does is block it whenever dangerous exploits get known until Oracle updates it.
Thanks, but if the site can be perfectly impersonated, then how is making this change helpful?
BTW, the Keychain Access preferences options don't seem to be quite the way you stated them.
Apple use their own TLS framework nowadays, which is why they are not affected by this and the version remains. So it's not dumb luck, by any stretch of the imagination.
that issue was exactly that, a hole in the wall. This is equivalent to learning you built on top of a sinkhole, and more importantly, someone may or may not have the keys to your house, and you cant even find out if they do.
Many sites revoked the certificates that they were using while this bug was live. After patching, a new certificate/key was generated - one attackers don't have.
The old certificate is placed in a revocation list, which the system normally checks before actually giving the OK. If it finds the certificate presented in that list, it'll throw up a DANGER DANGER warning, as such events should never happen except in cases of theft/attempted impersonation.
Most browsers make it a proper pain to attempt continued access to a site which shows a revoked certificate, and other software (mail clients, etc) will automatically fail such a connection.
The idea is that a site that beliefs they could have been attacked by this and their certificates my have been compromised should revoke their certificates and get new ones. But revoking a certificate doesn't help if the client (your browser) doesn't check for revoked certificates. In Keychain, you can change settings so that all certificates will be checked for revocation, so Safari won't trust a site using https with a revoked certificate.
you should also have "first-hand" knowledge that major banking firms wouldnt place their entire information security schema in the hands of a single point of failure like open-source encryption software. if they did, then they deserve what they got.
Errr. THE Java flaw (Flashback) was in the version of Java maintained by Apple. They waited TWO months to update their Java after Oracle had patched theirs.
Do you know why Apple services and products were not affected? Pure dumb luck.
Apple is just lazy - they keep their BSD subsystem ridiculously outdated:
Although 0.9.8y was released earlier this year, it was a minor point release for a major version of SSL originally released in 2005.
You are the lazy and dumb luck one. Don't think other people are lazy as well.
Apple deprecated OpenSSL in 10.7. They roll their own SSL stack since then.
None of their software and customer services use OpenSSL. Their tech staff won't support it.
Last edited:
They do use openSSL, just not the versions impacted (1.0.1 through 1.0.1f ).
What is funny is people who have no clue commenting.