
Show HN: Check if your browser is vulnerable to the Apple SSL bug - cantfindmypass
https://gotofail.com/
======
ef4
Why the hell would Apple publish the vulnerability & fix for iOS without a
concurrent update to OS X?!

~~~
gress
Presumably because the vulnerability is already known outside of Apple, and
it's better not to hold back the iOS patch while they get the OSX patch done.

~~~
smnrchrds
How hard is it to get the patch done? Isn't it, like, removing one line?

~~~
cantfindmypass
Yes, removing one line would fix it.

------
ef4
So if you're on Mavericks and left hanging, there are some evasive actions you
can take.

As others have pointed out, Firefox and Chrome are not vulnerable. But what
else may be relying on the system SSL implementation? Your IM client? Various
software updaters? Dropbox? Skype? Etc.

Rather than guess, I'm whitelisting only the things I trust. I'm using the pf
firewall to block all outbound connections other than DNS and SSH, using SSH
to open a SOCKS proxy tunnel, and configuring Firefox to use the proxy ( _not_
via the system proxy settings -- via Firefox's own proxy config, so other apps
don't know about it and can't get out).

A simpler solution for those who want to buy a commercial product would be to
install Little Snitch and start with a completely empty list of approved apps,
then turn on only Firefox.

~~~
wlesieutre
>But what else may be relying on the system SSL implementation? Your IM
client? Various software updaters? Dropbox? Skype? Etc.

Mail seems like a huge concern. I use two-factor on my google account, but
that's not worth much when SSL doesn't work. For the time being, at least
there's webmail + Firefox.

------
allochthon
It's becoming quite a chore to keep your computer and online accounts secure.
I'm in the industry; anyone who is not is probably a babe in the woods these
days.

~~~
gress
Actually this demonstrates the opposite - this vulnerability has just been
patched for half a billion people with no effort on their part.

~~~
cantfindmypass
Apple still hasn't released a fix for OS X...

~~~
gress
Do you presume they won't?

~~~
rlu
/facepalm

~~~
gress
That's a totally unhelpful comment. You imply that you know something that
should be obvious and you think it's more helpful to be condescending than to
contribute what you think.

~~~
cantfindmypass
The issue is that Apple's security engineers must have realized that there was
a good chance someone would reverse engineer the patch, and from there find
out the OS X is also vulnerable.

~~~
gress
The patch doesn't need to be reverse engineered to discover that - the
documentation alone and a quick test is enough.

The unknown factor which makes rlu's comment so ignorant, is that we don't
know whether the vulnerability is already known and being exploited.

If so, then not delaying the iOS patch is the correct call.

------
bcl
You can already do this here -
[https://www.imperialviolet.org:1266/](https://www.imperialviolet.org:1266/)

On OSX Firefox and Chrome fail and Safari happily loads it. Yay for not using
system crypto libraries.

~~~
cantfindmypass
I started making this before agl released that, though he had that up before I
finished.

Also, upon closer inspection, mine actually works differently from agl's.

------
djao
Anyone who thinks Chrome and Firefox are safe from this bug doesn't understand
the issue. SecureTransport is used for updating software. So an attacker could
trick you into installing a malicious update to Chrome, FireFox, or for that
matter anything on your system. They could even slip in malware under the
guise of a patch that purportedly fixes this bug. Using alternative browsers
does NOT completely protect you.

~~~
mikeash
Chrome uses its own updater which presumably uses the same non-vulnerable SSL
implementation as the rest of the program.

~~~
djao
Doesn't matter, the system updater can blow away Chrome or anything else.

~~~
mikeash
Yes, I suppose that's true. However, I believe OS X's software update requires
packages signed by Apple and doesn't simply trust the integrity provided by
SSL, so I don't think that can happen.

~~~
djao
That makes it slightly harder. Still, Apple will sign anything that is
successfully submitted to the App Store for approval, right? So you just need
to slip a single trojan past their approval process. Normally, the transport
layer provides an important second level of defense: a victim would have to
consciously choose to install YOUR program in order to get hacked. That
doesn't work anymore when the security of the transport layer is compromised.
Now anything that you install from the App Store could be surreptitiously
compromised. Better hope that Apple's signature revocation infrastructure is
sound.

~~~
mikeash
All new App Store apps require sandboxing now, so as long as Apple's sandbox
is tight (not a given, but it's supposed to be) then you can't do anything
harmful. Apple won't sign anything you give the that isn't sandboxed.

The updater for Apple's own stuff obviously doesn't have this constraint, but
it should involve a different signing key than the one used for third-party
apps.

------
firstplanthendo
Using the program Little Snitch on OS X 10.8 now to block everything except
Firefox (recommended by u/ef4 here)- successfully helped Safari pass this
browser test.

Can anyone else comment on if this is a decent solution?

~~~
franl
I don't think 10.8 has the vulnerability. At least my MBP with 10.8 doesn't
appear to have it. Both of the test URLs from HN had the desired behavior in
Safari on that machine (ie they blocked content / didn't establish a
connection).

EDIT: I'm not using Little Snitch or anything other than the builtin OSX
firewall.

------
bsenftner
I'm seeing a positive (yes the bug is there) on all my Apple devices,
including my OSX laptops - laptop sees the bug IF and only IF I browse using
Safari. Chrome and FF browse to your page fine on the laptop.

I've not seen any information about fixing this issue on OSX. Have I just
missed it in the noise about the iOS fix?

~~~
cantfindmypass
No OS X patch is available yet. :-(

Chrome/Firefox shouldn't be vulnerable.

------
userbinator
I use a filtering proxy which uses OpenSSL and it just reports "socket error"
in the log and retries the connection around a dozen times before it gives up,
so it seems I'm not vulnerable; non-Apple software isn't affected by this?

------
mirkules
Can anyone confirm this on an iOS 6 device? I don't have of those anymore.
Good news is iPad running 5.1.1 is not affected, which _almost_ leads me to
believe this vuln was introduced with iOS 7

~~~
evanspa
Safari on 3GS running iOS 6 is vulnerable; chrome on the same device is not
vulnerable

------
Jayschwa
For HTTPS clients that don't execute Javascript (e.g. curl), GET
[https://gotofail.com:1266/](https://gotofail.com:1266/)

~~~
kylec
You'll need to request the image directly:

    
    
        curl "https://gotofail.com:1266/test.png"
    

curl on OS X 10.9.1 fetches the image without complaint, while curl on Debian
is correctly reporting an RSA padding check error.

------
oneplusone
OSX 10.8.4 fails correctly. Was this bug introduced with Mavericks?

~~~
cantfindmypass
Yes, the bug is a regression introduced in Mavericks.

------
mh-
Safari fails on 10.9.1.

------
aroch
I can confirm that this is fixed in 10.9.2 (Since the first build of it). From
the looks of things (and some friends in the Mavericks dev group), the final
10.9.2 should be dropping very soon

~~~
mikhailt
No, it isn't. It is still affected in the latest 10.9.2 builds.

~~~
aroch
No...Not as far as I can tell. Attempting to connect over the bare IP address
to an SSL site results in a curl error[1]. Whereas under 10.9.1 its allowed

1: [http://pastebin.com/AZ38WYaB](http://pastebin.com/AZ38WYaB)

~~~
cantfindmypass
That is a different bug.

------
rasengan0
OS X 10.7.5 passes; y'all should downgrade ;-)

------
anoncow
why does it say my browser is vulnerable? Using Ucbrowser on lumia.

------
nraynaud
I get the red "PATCH IMMEDIATELY" in safari, where is the patch??? after a bit
of research this looks like a good old UX fail since there is no patch yet
anyways. Don't write something in red if there is no path to a solution.

~~~
ephemeralgomi
Yeah, if there's no path to a solution, the text should say "Your computer is
correctly following the undesired behavior described in HT6147" in a soothing
green color.

...

~~~
nraynaud
nope, saying that there is a page to check for an upcoming solution. Stating
that there is nothing to do for now anyways.

