Heartbleed, the new OpenSSL hack: How does it affect OS X and iOS?
An OpenSSL exploit leaves vulnerable countless Internet services that rely on data encryption. Is your Mac or your iOS device vulnerable?
OpenSSL is popular open source encryption software used all over the Internet. It's been in the news a lot lately, with a lot of dire warnings about what a newly discovered bug means for your personal data. Is it a threat to OS X security or iOS security? Do you need to be worried about your Mac, iPhone or iPad being vulnerable? AskDifferent:
No versions of OS X are affected (nor is iOS affected). Only installing a third party app or modification would result in a Mac or OS X program having that vulnerability / bug in OpenSSL version 1.0.x.
So Mac users can breathe a sigh of relief. iOS users are also off the hook. Apple doesn't use OpenSSL in iOS at all. Apple doesn't like OpenSSL on OS X either, thanks to what it calls an unstable API (application programming interface). The company actively dissuades registered developers from using it in its security documentation.
Apple does keep an older version of OpenSSL around that isn't vulnerable to the exploit. Safely chained to a wall. In the dungeon. It prods it with sticks now and again to make sure it's still breathing.
Oh, by the way - do you depend on iCloud for anything? Mail, maybe, or using iCloud.com apps? Syncing your data with iOS and Mac devices? You can rest assured that OpenSSL isn't an issue there. you can rest pretty easy at this point that your Apple ID is safe.
That means we're all off the hook, right?
No. Not even close.
Apple devices are safe, but data is not
I can't overemphasize this: your Apple device may be safe, but your encrypted data may not be. This is a very big deal because it affects many of the web sites and other Internet services you use. If the service uses OpenSSL to help manage the flow of encrypted data, it may be at risk. Hit up the services you depend on to find out if OpenSSL was used to encrypt data, and make sure they're up to date. Once you know that they are, it may be wise to change passwords for additional security.
OpenSSL's vulnerability is important to understand, regardless. The flaw enables the theft of information otherwise protected by SSL/TLS encryption, making vulnerable many web sites, virtual private networks, e-mail systems and more.
It's called Heartbleed because it exploits the security protocol's "heartbeat" extension, which keeps a connection alive between the client and the service. Exploiting a flaw, information can be decrypted and viewed by a third party.
Deja vu all over again
Doesn't SSL/TLS ring a bell? Just a couple of months ago Apple published updates to SSL/TLS for Mavericks, iOS 6 and iOS 7 to correct an entirely different issue related to connection verification. That was commonly known as the "GoToFail" bug.
That problem directly affected SSL/TLS connections on Apple devices for reasons unrelated to OpenSSL. But suffice it to say that 2014 hasn't been kind SSL/TLS thus far — a security protocol that the Internet is dangerously dependent on at present.
Are you worried about seeing your encrypted data hijacked from Internet services you depend on? Let me know in the comments.