Safari's Goto bug could expose your Web surfing to hackers
As The Mac Observer reported earlier, Apple updated iOS 7 to 7.0.6, the reason being “This security update provides a fix for SSL connection verification.” While this sounds like a good thing to those who aren’t security-minded, in that who wouldn’t want their connection to be verified, this wording raised all sorts of alarms in security circles. The vulnerability has been dubbed Goto Fail due to the C code being executed when it shouldn't.
This is because TLS (Transport Layer Security) and its predecessor, SSL (Secure Sockets Layer) provide two very important services. The first is security, in the form of encryption, that scrambles the data you send over your network so that others can’t view it. The second, and what this bug involves, is authentication, also known as verification, in that you trust the system that you’re exchanging data with is who it says it is.
This authentication is done via what’s known as a digital signature, using a technology called public key encryption. A signature is created with a private key, which is a piece of data that only the owner of a system and corresponding certificate should possess, and verified with a public key, which is stored on your computer. The problem is that if a signature isn’t verified when a SSL/TLS connection is established, there’s the potential for someone to launch what is known as a “man in the middle” attack, which means they could monitor your network traffic without your knowing it.
The concern is that while Apple has patched this vulnerability in iOS 6, iOS 7 and Apple TV 6, as of this writing it hasn’t yet patched OS X 10.9.x, which shares the same security code as iOS. To see if your browser is vulnerable, you can use the Goto Fail Browser Security Check.
At this point, Safari is vulnerable, but other browsers, such as Firefox and Chrome, which don’t use Apple’s SSL/TLS implementation, are not. But this isn’t just a matter of using a different browser, since other pieces of Apple software, such as Mail.app, also use their SSL/TLS implementation.
What can you to do reduce the risk of your data being compromised? Avoid using public Wi-Fi. If you must use it, consider using a VPN (Cloak is a fine choice for OS X and iOS) to provide an additional layer of security for your network connection. If you send sensitive data via email, consider using S/MIME or GPG to encrypt and sign your email. If you're really worried, use an earlier version of OS X, since only Mavericks looks to be vulnerable per Vulnerability Summary for CVE-2014-1266.
And try not to panic, at least not until you've found your towel. This bug will not send all of your confidential data to the criminals of the world, but it certainly makes it easier for those with the right tools.