Show HN: Check if your browser is vulnerable to the Apple SSL bug | Better HN

68 comments

53 comments · 16 top-level

ef412y ago· 10 in thread

Why the hell would Apple publish the vulnerability & fix for iOS without a concurrent update to OS X?!

NelsonMinar12y ago

It's common security practice to release the exploit before the bug is patched in the OS. Oh wait, no, the opposite of that. Unless you're Apple. I'm very angry.

gress12y ago

Presumably because the vulnerability is already known outside of Apple, and it's better not to hold back the iOS patch while they get the OSX patch done.

smnrchrds12y ago

How hard is it to get the patch done? Isn't it, like, removing one line?

cantfindmypassOP12y ago

It became widely known outside of Apple due to the iOS patch.

cantfindmypassOP12y ago

I don't know - I can't imagine that nobody on their security team pointed out that someone would promptly reverse engineer the patch and figure out that OS X is also vulnerable.

praseodym12y ago

And having the source code available made that even easier.

rch12y ago

I haven't upgraded to Mavericks, and I haven't been able to replicate the bug. I've been applying other updates, everything except Mavericks, all along.

chmars12y ago

The deployment on iOS was not very active either. I learned about the 'bug' through online sources and I had to initiate the iOS update myself.

raverbashing12y ago

OSX 10.8.5 here, Safari not vulnerable according to the site

brymaster12y ago

This bug was introduced in Mavericks.

nraynaud12y ago· 5 in thread

I get the red "PATCH IMMEDIATELY" in safari, where is the patch??? after a bit of research this looks like a good old UX fail since there is no patch yet anyways. Don't write something in red if there is no path to a solution.

cantfindmypassOP12y ago

I am now for informational purposes linking to the OS X patch released by i0n1c.

http://www.sektioneins.de/en/blog/14-02-22-Apple-SSL-BUG.htm...

ephemeralgomi12y ago

Yeah, if there's no path to a solution, the text should say "Your computer is correctly following the undesired behavior described in HT6147" in a soothing green color.

...

nraynaud12y ago

nope, saying that there is a page to check for an upcoming solution. Stating that there is nothing to do for now anyways.

cantfindmypassOP12y ago

I'm not checking for Safari vs OS X. I'm not sure what else to say to vulnerable OS X users - there is not really any effective mitigation besides turning the computer off.

ephemeralgomi12y ago

You're doing fine, this guy is just bikeshedding. Thanks for the tool, it certainly helped me.

mirkules12y ago· 4 in thread

Can anyone confirm this on an iOS 6 device? I don't have of those anymore. Good news is iPad running 5.1.1 is not affected, which almost leads me to believe this vuln was introduced with iOS 7

evanspa12y ago

Safari on 3GS running iOS 6 is vulnerable; chrome on the same device is not vulnerable

rasur12y ago

Safari under 6.1.3 is vulnerable, according to this site (I just tested my old iPhone)

adsr12y ago

There is a patch available for iOS 6 as well.

plorg12y ago

iPod 4g, 6.1.5. Vulnerable.

ef412y ago· 3 in thread

So if you're on Mavericks and left hanging, there are some evasive actions you can take.

As others have pointed out, Firefox and Chrome are not vulnerable. But what else may be relying on the system SSL implementation? Your IM client? Various software updaters? Dropbox? Skype? Etc.

Rather than guess, I'm whitelisting only the things I trust. I'm using the pf firewall to block all outbound connections other than DNS and SSH, using SSH to open a SOCKS proxy tunnel, and configuring Firefox to use the proxy (not via the system proxy settings -- via Firefox's own proxy config, so other apps don't know about it and can't get out).

A simpler solution for those who want to buy a commercial product would be to install Little Snitch and start with a completely empty list of approved apps, then turn on only Firefox.

wlesieutre12y ago

>But what else may be relying on the system SSL implementation? Your IM client? Various software updaters? Dropbox? Skype? Etc.

Mail seems like a huge concern. I use two-factor on my google account, but that's not worth much when SSL doesn't work. For the time being, at least there's webmail + Firefox.

krrrh12y ago

This article claims that you can grep for the version number using otool and if it's not present the binary uses a different version of the library.

http://www.theregister.co.uk/2014/02/23/apple_mac_os_x_10_9_...

Latest Dropbox (v2.6.5), Adium, and Skype are fine according to this test. Most of Apple's software appears vulnerable however.

I'm not at all sure if this test is definitie however.

chmars12y ago

Many apps use WebKit and are therefore affected too. It is in particular obvious for special purpose browsers like Mailplane.

allochthon12y ago· 3 in thread

It's becoming quite a chore to keep your computer and online accounts secure. I'm in the industry; anyone who is not is probably a babe in the woods these days.

tantalor12y ago

What a delightful idiom. I had to look it up.

https://en.wikipedia.org/wiki/Babes_in_the_Wood

gress12y ago

Actually this demonstrates the opposite - this vulnerability has just been patched for half a billion people with no effort on their part.

cantfindmypassOP12y ago

Apple still hasn't released a fix for OS X...

aroch12y ago· 3 in thread

I can confirm that this is fixed in 10.9.2 (Since the first build of it). From the looks of things (and some friends in the Mavericks dev group), the final 10.9.2 should be dropping very soon

cantfindmypassOP12y ago

My web logs show lots of systems identifying as 10.9.2 pulling the test image from the bad server.

mikhailt12y ago

No, it isn't. It is still affected in the latest 10.9.2 builds.

aroch12y ago

No...Not as far as I can tell. Attempting to connect over the bare IP address to an SSL site results in a curl error[1]. Whereas under 10.9.1 its allowed

1: http://pastebin.com/AZ38WYaB

djao12y ago· 2 in thread

Anyone who thinks Chrome and Firefox are safe from this bug doesn't understand the issue. SecureTransport is used for updating software. So an attacker could trick you into installing a malicious update to Chrome, FireFox, or for that matter anything on your system. They could even slip in malware under the guise of a patch that purportedly fixes this bug. Using alternative browsers does NOT completely protect you.

mikeash12y ago

Chrome uses its own updater which presumably uses the same non-vulnerable SSL implementation as the rest of the program.

djao12y ago

Doesn't matter, the system updater can blow away Chrome or anything else.

firstplanthendo12y ago· 2 in thread

Using the program Little Snitch on OS X 10.8 now to block everything except Firefox (recommended by u/ef4 here)- successfully helped Safari pass this browser test.

Can anyone else comment on if this is a decent solution?

franl12y ago

I don't think 10.8 has the vulnerability. At least my MBP with 10.8 doesn't appear to have it. Both of the test URLs from HN had the desired behavior in Safari on that machine (ie they blocked content / didn't establish a connection).

EDIT: I'm not using Little Snitch or anything other than the builtin OSX firewall.

jmyc12y ago

Yes, Little Snitch can help Safari pass this browser test (the unusual port was a red flag for me).

bsenftner12y ago· 2 in thread

I'm seeing a positive (yes the bug is there) on all my Apple devices, including my OSX laptops - laptop sees the bug IF and only IF I browse using Safari. Chrome and FF browse to your page fine on the laptop.

I've not seen any information about fixing this issue on OSX. Have I just missed it in the noise about the iOS fix?

cantfindmypassOP12y ago

No OS X patch is available yet. :-(

Chrome/Firefox shouldn't be vulnerable.

kalleboo12y ago

Chrome on iOS also seems safe

bcl12y ago· 1 in thread

You can already do this here - https://www.imperialviolet.org:1266/

On OSX Firefox and Chrome fail and Safari happily loads it. Yay for not using system crypto libraries.

cantfindmypassOP12y ago

I started making this before agl released that, though he had that up before I finished.

Also, upon closer inspection, mine actually works differently from agl's.

Jayschwa12y ago· 1 in thread

For HTTPS clients that don't execute Javascript (e.g. curl), GET https://gotofail.com:1266/

kylec12y ago

You'll need to request the image directly:

    curl "https://gotofail.com:1266/test.png"

curl on OS X 10.9.1 fetches the image without complaint, while curl on Debian is correctly reporting an RSA padding check error.

oneplusone12y ago· 1 in thread

OSX 10.8.4 fails correctly. Was this bug introduced with Mavericks?

cantfindmypassOP12y ago

Yes, the bug is a regression introduced in Mavericks.

userbinator12y ago

I use a filtering proxy which uses OpenSSL and it just reports "socket error" in the log and retries the connection around a dozen times before it gives up, so it seems I'm not vulnerable; non-Apple software isn't affected by this?

mh-12y ago

Safari fails on 10.9.1.

rasengan012y ago

OS X 10.7.5 passes; y'all should downgrade ;-)

anoncow12y ago

why does it say my browser is vulnerable? Using Ucbrowser on lumia.

j / k navigate · click thread line to collapse