X

Protect your Mac from SSL bug

You can bypass the SSL vulnerability in OS X with a couple of temporary changes, until a software fix is made available.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
2 min read

Recently, Apple released an iOS update to address a bug with its SSL implementation, which would allow a nefarious individual on the same local network as your computer to intercept sensitive information as you browse the Web.

This type of attack, called a man-in-the-middle attack, is possible because in the latest versions of OS X and iOS (up to version 7.0.5) the operating system does not check the signature in a TLS Server Key Exchange Message, allowing a third-party to spoof a private key or simply omit using one and intercept the SSL data. Since encrypted SSL data is used for sensitive information such as financial and medical records, this could potentially give someone access to the data if you are accessing it on a public or otherwise shared network.

Apple has issued a fix for this in iOS with version 7.0.6, which was released last Friday; however, this only addresses the problem in iOS and not OS X. Apple has said a fix will be available soon for the desktop operating system, but so far has not mentioned a release date. While a fix will likely come within the next week, until then you can take steps to ensure your system is properly secured.

  1. Use a patched browser
    This problem affects Apple's Safari browser, and may affect versions of Chrome running on test releases of OS X. Therefore, until a fix is released you might consider downloading and using Firefox, which has been deemed safe from this bug. You can test any browser you use by going to this Web site, which will run a test and notify you if your browser's SSL data can be intercepted.
  2. Avoid public networks
    While this problem exists, it can only be taken advantage of if an attacker is on the same local network as yourself. Therefore, if you are using a publicly-accessible network such as those at cafes or libraries, then be sure to either use an unaffected browser, or avoid accessing banking and other sites with sensitive data.

Questions? Comments? Have a fix? Post them below or document.write('e-mail us'); !
Be sure to check us out on Twitter and the CNET Mac forums.