Apple Says iOS, OS X and “Key Web Services” Not Affected by Heartbleed
recode.netOddly enough, I've had a lot of trouble getting my AppleTV to connect to iTunes services for the last 24h or so. I wonder if there might be some vulnerabilities being patched.
Article is not very informative. If they don't use OpenSSL what do they use?
SecureTransport https://developer.apple.com/library/mac/documentation/securi...
Remember "Goto fail?"
Yes, they are developing their own SSL library, so "Goto fail" didn't affect OpenSSL, too.
They do use OpenSSL, just 0.9.8y version which is not affected.
And it's deprecated. It's there for older applications that depend on it.
My jailbroken iOS 7.0.6 had OpenSSL 0.9.8y on it. I don't know if this is an addition of the jailbreak but it wouldn't surprise me if it's baked in - after all, iOS and OSX contains BSD roots via Darwin and BSD 9.x wasn't vulnerable for the same 'too old version' reasons.
Your iPhone having OpenSSL is probably the jailbreak, however all OSX computers ship with 0.9.8 for legacy reasons. It's not used by any other apple software to my knowledge.
"Sites that use OpenSSL will display a small “lock” icon in the top left-hand corner of your Web browser’s address bar (though not all sites showing this lock use OpenSSL);"
This sentence physically hurt to read. I seriously hope that Google Translate wrote this.
I stopped reading at that line.
“Apple takes security very seriously. IOS and OS X never incorporated the vulnerable software and key Web-based services were not affected,”
This makes it sound like they knew about the vulnerabilities, which they didn't...
I don't see that implication at all.
...I would be quite interested in having a list of their Web services that they don't deem to be 'key', however.
That was exactly their implication. "We don't go for that open source crap" is a motto of theirs. Usually it's just obnoxious. This time, they just happened to blindly fall on the right side of the line.
Er, you realise that Apple's own OpenSSL substitute is open source? And that they both use and release lots of open source software?
Are you thinking of Microsoft circa 2000, or something?