An OpenSSL exploit leaves vulnerable countless Internet services that rely on data encryption. Is your Mac or your iOS device vulnerable?
OpenSSL is popular open source encryption software used all over the Internet. It's been in the news a lot lately, with a lot of dire warnings about what a newly discovered bug means for your personal data. Is it a threat to OS X security or iOS security? Do you need to be worried about your Mac, iPhone or iPad being vulnerable? AskDifferent:
No versions of OS X are affected (nor is iOS affected). Only installing a third party app or modification would result in a Mac or OS X program having that vulnerability / bug in OpenSSL version 1.0.x.
So Mac users can breathe a sigh of relief. iOS users are also off the hook. Apple doesn't use OpenSSL in iOS at all. Apple doesn't like OpenSSL on OS X either, thanks to what it calls an unstable API (application programming interface). The company actively dissuades registered developers from using it in its security documentation.
Apple does keep an older version of OpenSSL around that isn't vulnerable to the exploit. Safely chained to a wall. In the dungeon. It prods it with sticks now and again to make sure it's still breathing.
Oh, by the way - do you depend on iCloud for anything? Mail, maybe, or using iCloud.com apps? Syncing your data with iOS and Mac devices? You can rest assured that OpenSSL isn't an issue there. you can rest pretty easy at this point that your Apple ID is safe.
That means we're all off the hook, right?
No. Not even close.
Apple devices are safe, but data is not
I can't overemphasize this: your Apple device may be safe, but your encrypted data may not be. This is a very big deal because it affects many of the web sites and other Internet services you use. If the service uses OpenSSL to help manage the flow of encrypted data, it may be at risk. Hit up the services you depend on to find out if OpenSSL was used to encrypt data, and make sure they're up to date. Once you know that they are, it may be wise to change passwords for additional security.
OpenSSL's vulnerability is important to understand, regardless. The flaw enables the theft of information otherwise protected by SSL/TLS encryption, making vulnerable many web sites, virtual private networks, e-mail systems and more.
It's called Heartbleed because it exploits the security protocol's "heartbeat" extension, which keeps a connection alive between the client and the service. Exploiting a flaw, information can be decrypted and viewed by a third party.
Deja vu all over again
Doesn't SSL/TLS ring a bell? Just a couple of months ago Apple published updates to SSL/TLS for Mavericks, iOS 6 and iOS 7 to correct an entirely different issue related to connection verification. That was commonly known as the "GoToFail" bug.
That problem directly affected SSL/TLS connections on Apple devices for reasons unrelated to OpenSSL. But suffice it to say that 2014 hasn't been kind SSL/TLS thus far — a security protocol that the Internet is dangerously dependent on at present.
Are you worried about seeing your encrypted data hijacked from Internet services you depend on? Let me know in the comments.
We may earn a commission for purchases using our links. Learn more.
Apple Music, Apple Arcade, App Store and more experiencing outages
A number of Apple's services, including Apple Book, iCloud Mail, Photos, and more, are currently experiencing performance issues.
iOS 14.2 hints that EarPods won't come in the box with the iPhone 12
A copy change found in the iOS 14.2 beta suggests that Apple may be removing more than just the power adapter from the iPhone 12 box.
Twitter opens up voice tweets to more iOS users
After letting a limited group of people test voice tweets in June, Twitter is now opening the option up to more iOS users.
All the limited and special edition Nintendo Switch consoles you can buy
Don't want your Nintendo Switch to look like everyone else's? These limited edition Switch consoles will stand out in a crowd—and you can buy one today.