Apple has confirmed that the widely reported Heartbleed security disaster isn’t a problem for iOS, OS X or its iCloud services. However, Apple users should still check the sites and services they use, as these may well be insecure.
Platform secure, services ain't
“Apple takes security very seriously. iOS and OS X never incorporated the vulnerable software and key Web-based services were not affected.”
IHeartbleed is a major security flaw recently identified in OpenSSL that enabled those in the know (hackers? the NSA?) to access all kinds of user information. The problem is considered so serious security expert Bruce Schneier called it “catastrophic” – it means passwords, private keys and even credit card details could be at risk when you access services using a vulnerable server -- even if you are using a Mac or iOS device to access that site or service.
Apple deprecated OpenSSL on OS X in or before December 2012, switching to alternative interfaces to provide SSL services.
“OpenSSL does not provide a stable API from version to version. For this reason, although OS X provides OpenSSL libraries, the OpenSSL libraries in OS X are deprecated, and OpenSSL has never been provided as part of iOS. Use of the OS X OpenSSL libraries by apps is strongly discouraged,” the company said at that time.
Check your services
It is good that Apple’s platforms are not affected, but some services used by Apple customers might be:
- Yahoo, Facebook and Tumblr services have been impacted;
- Some Google and Yahoo services were left insecure by the flaw, which existed for two years;
- Multiple BlackBerry products, including BBM for iOS and Android and Amazon’s cloud services, are also vulnerable.
(An astonishing number of Android phones remain vulnerable. These devices run Android 4.1.1 Jelly Bean, and while Google is working on a fix with hardware makers, it may take time for Android users to feel secure engaging in financial transactions on their phones.)
Apple users must also ensure that the servers they use when accessing sites and services are secure against the problem.
Many experts have suggested users should change all their Web passwords in order to protect themselves against Heartbleed leaks, but others warn doing so will be a waste of time until service providers upgrade their systems to fix the flaw.
To boost security while the Internet gets its act together, Mac users might want to begin using password management tools like 1Password or Apple’s own Safari browser password generator to create (and remember) new and unique passwords for critical services: for example, social media, retail, shopping, banking, financial services and so on.
Because some will need to change passwords again once service providers pull themselves together, focusing on the most important or confidential sites today will let you create temporary passwords, moving to create fresh ones once providers say they have resolved the problem.
While up to a billion sites may be affected, it’s important to remember that not every site or service you use will be. Numerous tools to check which sites are affected now exist, including: Heartbleed test, LastPass Heartbleed checker, and Qualys SSL Labs test.
Finally, there’s a hosted list of sites that have been tested for vulnerability to the problem over at Github. This confirms Apple’s iCloud services to be safe, but does include dozens of sites that do seem vulnerable.
- If a site you use is listed there, you should visit the Heartbleed test website and type in the URL.
- If the site is fixed, change your password; if it is not, then avoid making any financial transactions using the site until it is.
Got a story? Drop me a line via Twitter or in comments below and let me know. I'd like it if you chose to follow me on Twitter so I can let you know when fresh items are published here first on Computerworld.