
Has goto fail been fixed yet? - electic
http://hasgotofailbeenfixedyet.com/
======
mikeash
This is absurd and unconscionable. There is no excuse whatsoever for not
having a 10.9 patch ready to go at the same time as iOS. There is _especially_
no excuse for _still_ not having a 10.9 patch five days later.

I would love to see a detailed postmortem about exactly how this bug happened
in the first place and why it's taking so long to fix it on the Mac side.
Unfortunately, given how secretive the company is, I'm sure we'll never have
more than speculation.

~~~
allochthon
I'm a little naive when it comes to SSL/TLS. I've been wondering whether the
reason for the delay is that because with this compromise Apple's update
service is no longer a secure channel through which to distribute a fix. So
now they're scratching their heads trying to figure out a way around the
issue, possibly coding up something that uses OpenSSL. Is this line of
reasoning unfounded?

EDIT: Great points about the checking of the signatures. Let's hope there's
not a second bug that can bypass this in some cases.

~~~
mikeash
My understanding is that the update system checks digital signatures on the
downloaded data separately from TLS, rather than simply relying on the
integrity of TLS. If that understanding is correct, then there shouldn't be
any issue there.

------
stcredzero
If the bug affects Software Update, couldn't we use it to patch it ourselves?
We could basically MITM our own machines to apply our own patch.

The above just made me think: This is a great datapoint in support of RMS and
his rants against the dangers of proprietary software. Should we really be
clamoring to some company for a fix, when we should just be able to patch it
ourselves? (Should we choose to take the risk.) It's times like this when I
feel like I don't quite own my own machine.

~~~
mikeash
No need to MITM anything. You can just patch the binaries on disk. People have
already done the legwork for it:
[http://www.sektioneins.de/en/blog/14-02-22-Apple-SSL-
BUG.htm...](http://www.sektioneins.de/en/blog/14-02-22-Apple-SSL-BUG.html)

~~~
aroch
I enjoy that they're serving the patch over HTTP with no signatures or
anything. So their patch may be just as useless or maybe make things even
worse due to MITM

~~~
mikeash
And they go out of their way to give you a version that's all scripted up for
you so you can apply it without knowing what's going on!

------
JohnTHaller
You can always switch from Safari and Mail to Firefox and Thunderbird which do
not suffer from this bug. As a bonus, they are also cross-platform, making it
easier to switch to Linux or Windows later should the need or desire arise. As
for Facetime, switching to Skype or similar will get you around the bug and
permit you to chat, talk, and videochat with people that own technology from
all sorts of companies... not just other Apple users (which is silly).

------
EdwardMSmith
Right after reading this thread, I fired up Software Update, and OSX Update
10.9.2 is available for me.

Links to here
[http://support.apple.com/kb/HT6114](http://support.apple.com/kb/HT6114) but
nothing's on the page.

Edit: big update. 460M (I think), and took about 10 minutes on an Air.

~~~
3JPLW
There's now content at the support page you linked, but the security content
of the patch still hasn't been published [1]. See the new thread about it
here:
[https://news.ycombinator.com/item?id=7299287](https://news.ycombinator.com/item?id=7299287)

[1] [http://support.apple.com/kb/HT1222](http://support.apple.com/kb/HT1222)

------
wyuenho
For those who can get their way around a terminal, here's a temp fix:

[http://nakedsecurity.sophos.com/unofficial-patch-for-the-
app...](http://nakedsecurity.sophos.com/unofficial-patch-for-the-apple-
securetransport-55741-bug/)

I applied it this morning. It works. The one on gotofail.com can't be signed
so it doesn't work.

This patch still doesn't solve the real problem but at least it doesn't fail
silently.

------
nfoz
If my debian system were to break, and noone was around to fix it... I could
fix it myself. Free software ftw.

~~~
pilif
The security flaw is inside a library that has been released under a bsd style
license (otherwise, the "goto fail;" hilarity would never have ensued). You're
free to download the source of the 10.9 library, patch it, compile it and
replace the vulnerable binary with the one you fixed.

~~~
makomk
Apparently someone tried it and the publicly-available source is incomplete
and doesn't build.

------
rdl
OSX machines are now iOS development workstations; nothing more.

~~~
ihuman
What do you mean?

~~~
rdl
Apple can't be trusted to do point releases for major security bugs in a
timely fashion.

OSX development can only be done on OSX.

Because Apple security procedures are now known to be so horrible, the
reasonable thing is to only use Apple hardware when you absolutely must -- iOS
dev.

I say this as someone who currently has _only_ Macs except for servers; I'll
probably not buy another one, and switch back to Linux. I might Linuxify the
Macs I currently have, except for when I need to do iOS stuff.

~~~
ihuman
Correct me if I'm wrong, but you're almost completely abandoning an OS just
because of 1 security problem?

~~~
rdl
I don't actually care about the original bug much. It happens.

That Apple's internal code review/static analysis/etc. doesn't exist is a
bigger problem, but still not a showstopper.

That Apple's incident response and prioritization is horrible is the reason.
Look what they did with the dev center over the summer. Various past bugs.

------
theandrewbailey
Am I the only one who despairs over redundant hashtags being appended to
everything?

~~~
rsync
... am I the only one that thinks "pound" would be a better phrase than
"hashtag" when saying these out loud ?

Cuts syllable usage in half ... has worked for decades with irc channel names
...

~~~
CUViper
'#' is commonly called either "hash" or "pound", and "tag" as a suffix just
describes this tagging use in context. For an apples-to-apples comparison
you'd be saying "poundtag", but good luck getting that to catch on. :)

~~~
acuozzo
Octothorpe FTW

------
hoverbear
Tossed an email to my AppleCare contact expressing my frustration... You
should too if you have one!

------
jamiesonbecker
I love how people keep making excuses for why their favorite cult leader just
fed them cyanide.

------
STRML
Looks like this should be updated - 10.9.2 was just released.

[http://www.macrumors.com/2014/02/25/osx-update-ssl-
facetime-...](http://www.macrumors.com/2014/02/25/osx-update-ssl-facetime-
audio/)

------
rdl
I blame the security community on this one, for not releasing an apocalyptic
weaponized exploit for this vulnerability over the weekend, instead of stuff
like agl's checker.

If end users were on fire, Apple might be more motivated to push a fix.

------
stevoyoung
...and it's fixed. [http://www.macrumors.com/2014/02/25/osx-update-ssl-
facetime-...](http://www.macrumors.com/2014/02/25/osx-update-ssl-facetime-
audio/)

------
wernerb
I can't afford to switch environments at the moment. I don't however use any
apple applications such as calendar/reminders/safari. Does this mean I have a
modicum of relative safety?

[https://www.imperialviolet.org:1266/](https://www.imperialviolet.org:1266/)
produces an error for me. And from what I gather that means I am at least safe
using google chrome on OSX.

------
FireBeyond
Regardless of the fact that you, and I, realize that two separate teams are
working on these things, it looks really bad (well, at least to me) to have
your flagship OS vulnerable to an amazingly easy to exploit security hole for
multiple days, widely and loudly publicized ...

And nothing comes out. Oh, except for iBeacon, a specification for pushing ads
on you based on your location.

------
plg
Tim Cook had better make a public statement and make it soon.

Think antennagate.

It's one thing if your maps application is wrong ... but it's quite another if
suddenly people feel like using your product puts their banking information at
risk.

------
robbyking
I really hate these long-url one-word-of-content sites. Doineedajacket.com was
clever, but the swarm of copies are unaoriginal and annoying.

------
dTal
Looking at the details of the bug, I'm surprised it wasn't flagged with a
warning. Why don't we warn on unconditional gotos?

------
pktgen
Just curious, what Linux distro is everyone switching to? At this point I am
seriously considering it, because this is pathetic. (I suspect I'll remain
with Apple hardware for the foreseeable future, because they still have the
best laptops IMO, but running another OS is not out of the question.)

I like elementaryOS, but it really doesn't feel as polished as OS X. Things
like their choice of font don't help IMO.

~~~
dradtke
If you're seriously considering switching to Linux, then be aware that nothing
you find is going to feel as polished as OS X. Linux developers tend to be
more focused on security and under-the-hood improvements while Apple focuses
on user experience, plus Apple is a business that can easily afford to hire as
many developers as they need while most Linux distros are community-driven.

That said, the Linux user experience has improved dramatically over the past
several years, and my recommendation would be openSUSE (what I run), or Ubuntu
if you're completely new to Linux.

~~~
pktgen
Yeah, this is what I was thinking. elementaryOS seems to get the closest but
still isn't ideal. I have to think about it. Thanks.

I use Linux on servers, but I've always found the options lacking in some way
for desktop.

------
ybaumes
opensourceapple.com ? If it's an open source part in apple code, then couldn't
I fix the issue on my own machine? (by removing the second goto fail; and
recompiling)

~~~
lloeki
In theory yes (especially since it's a framework, as it's dynamically linked
against), but download [0] and see the README: you'll be missing some
proprietary algorithms so some things depending on them are bound to fail.

[0]:
[http://opensource.apple.com/tarballs/Security/Security-55471...](http://opensource.apple.com/tarballs/Security/Security-55471.tar.gz)

------
ereckers
IOS 7.0.6 This security update provides a fix for SSL connection verification.

Just notified on my iPad.

~~~
0x0
That was 5 days ago. OSX 10.9.1 is still vulnerable.

------
sheetjs
Since all of the computers in question are Intel-based, I suspect it would be
possible for people to use bootcamp to run Linux or Windows. Are people
switching over?

EDIT: apparently I have to spell it out: if people are bothered by the
situation, they will switch to a different OS. And since we are talking about
OSX on computers with intel chips, that is an option.

~~~
uptown
Yes. Everybody has switched.

