dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2570
Daemon
Premium Member
join:2003-06-29
Washington, DC

Daemon to OSUGoose

Premium Member

to OSUGoose

Re: [Security] Do NOT use Safari on OS X for SSL - online banking, shopping, etc.!

said by OSUGoose:

My understanding is this is only a big issue if your on public wifi where the security of the connection is unknown.

Actually, every SSL connection is vulnerable. An attack would rely on a man-in-the-middle strategy. Anybody with a strong motivation to get your credentials could poison local DNS caching servers to redirect queries for, e.g. amazon.com, to a copy of the website using forged SSL credentials and you wouldn't know it.

The reason home connections are more secure is that it would be more difficult to poison your DNS cache, as your local ISP's servers should be more secure against this type of attack.

Open/unsecured wifi connections are actually no more secure than any other public wifi, because the attack doesn't rely on breaking/snooping traffic, it relies on man in the middle. If your local coffee shop owner wanted to redirect DNS servers to do this, they could do it just as easily with WPA enabled or not.
Shady Bimmer
Premium Member
join:2001-12-03

Shady Bimmer to OSUGoose

Premium Member

to OSUGoose
said by OSUGoose:

My understanding is this is only a big issue if your on public wifi where the security of the connection is unknown.

This is absolutely not true. The first-hop connection to the access point is only one part at the very beginning of a very long chain of components.

This issue is indeed a big issue as it effectively renders https and any other ssl-based connection useless.

SSL provides end to end security and validation. With this "bug" this protection and validation is lost. While public wifi is a primary concern it is by far not the only concern.

Many other vulnerabilities and points of attack would otherwise be mitigated by SSL. Those issues become much more important now since these are these cases that SSL is meant to help protect against. Everything between you and the site you are communicating with becomes a potential point of exploit with this bug.

Note the risk here is primarily one of theft, though well-crafted malicious actions could go further. There is a significant financial benefit for criminals to attempt to leverage this vulnerability quickly, and when successful the victim likely would not notice until it is too late.

Tex
Dave's not here
Premium Member
join:2012-10-20

1 edit

Tex

Premium Member

And another day goes by and still no word from Apple. How difficult is it to change a few lines of code and put out an update?

Edit - Found this link in the Security Forum:

Apple's 'Gotofail' Security Mess Extends To Mail, Twitter, iMessage, Facetime And More

And this:

Apple promises fix "very soon" for Macs with failed encryption

AppleGuy
Premium Member
join:2013-09-08
Kitchener, ON

AppleGuy to OSUGoose

Premium Member

to OSUGoose
said by OSUGoose:

My understanding is this is only a big issue if your on public wifi where the security of the connection is unknown.

I was just about to ask the same thing after doing more research;

The "take a breath, if you're on a secure network (like at home) you should be fine."

fonzbear2000
Premium Member
join:2005-08-09
Saint Paul, MN
·Verizon Wireless

1 recommendation

fonzbear2000 to TAZ

Premium Member

to TAZ
»www.afterdawn.com/news/a ··· e_update

Someone needs to go and shut all those Apple haters up!

dfc888
Premium Member
join:2003-07-22
San Bruno, CA

dfc888 to Tex

Premium Member

to Tex
said by Tex:

And another day goes by and still no word from Apple. How difficult is it to change a few lines of code and put out an update?

Edit - Found this link in the Security Forum:

Apple's 'Gotofail' Security Mess Extends To Mail, Twitter, iMessage, Facetime And More

I wonder if say a node out there was compromised, if they could grab my iCloud user name and password (since I'm always "logged on" to FaceTime, iMessage, etc...)

not quite right
I'm not cool enough to be a Mac person
join:2001-06-23
Puyallup, WA

not quite right to Shady Bimmer

Member

to Shady Bimmer
said by Shady Bimmer:

said by OSUGoose:

My understanding is this is only a big issue if your on public wifi where the security of the connection is unknown.

This is absolutely not true.

Naw it's pretty much it ... »www.reuters.com/article/ ··· 20140222
The intruders do need to have access to the victim's network, either through a relationship with the telecom carrier or through a WiFi wireless setup common in public places. Industry veterans warned users to avoid unsecured WiFi until the software patch is available and installed.

GuruGuy
Premium Member
join:2002-12-16
Atlanta, GA

GuruGuy

Premium Member

said by not quite right:

said by Shady Bimmer:

said by OSUGoose:

My understanding is this is only a big issue if your on public wifi where the security of the connection is unknown.

This is absolutely not true.

Naw it's pretty much it ... »www.reuters.com/article/ ··· 20140222
The intruders do need to have access to the victim's network, either through a relationship with the telecom carrier or through a WiFi wireless setup common in public places. Industry veterans warned users to avoid unsecured WiFi until the software patch is available and installed.

Naw, that's NOT it. Go over to the security forum. Already a new vulnerability out that even affects 7.0.6

»arstechnica.com/security ··· ers-say/
Shady Bimmer
Premium Member
join:2001-12-03

Shady Bimmer to not quite right

Premium Member

to not quite right
said by not quite right:

Naw it's pretty much it ...

You may need to learn basic networking and security. This is definitely not "it".

The media is highlighting public wifi, but the risk extends far beyond the first network hop.

SSL provides end-end protection. This bug makes SSL ineffective. This in turn makes the entire path end-end at-risk. I'm not sure how much more simple I can make that.

While you may be safer on a wired home network you are by no means safe

not quite right
I'm not cool enough to be a Mac person
join:2001-06-23
Puyallup, WA

not quite right

Member

said by Shady Bimmer:

You may need to learn basic networking and security. This is definitely not "it".

Not really any need to learn basic networking, and or security to realize that in some aspects, the news of this is over hyped. Please tell us in cold hard numbers how many have been exploited by this flaw that's been around for over a year and half?

Titus
Mr Gradenko
join:2004-06-26

Titus to Tex

Member

to Tex
said by Tex:

How difficult is it to change a few lines of code and put out an update?

One line of reasoning is a wish to avoid as much Update Dribble as possible by releasing a comprehensive patch. Anyone thinking that this one block of GoTo code is the only problem is naive.

not quite right
I'm not cool enough to be a Mac person
join:2001-06-23
Puyallup, WA

not quite right to TAZ

Member

to TAZ
And the Apple world is safe once more ... »9to5mac.com/2014/02/25/a ··· l-fixes/

Thinkdiff
MVM,
join:2001-08-07
Bronx, NY

Thinkdiff to Titus

MVM,

to Titus
said by Titus:

Anyone thinking that this one block of GoTo code is the only problem is naive.

it may not be the only security problem, but it was the only one reasonable for this exploit and the only one fixed in 7.0.6.

On the OS X side, 10.9.2 was already nearing release so they decided to wait and roll it into there instead of creating a 10.9.2 that only lasted a few days, followed immediately by 10.9.3.

TAZ
join:2014-01-03
Tucson, AZ

TAZ

Member

said by Thinkdiff:

On the OS X side, 10.9.2 was already nearing release so they decided to wait and roll it into there instead of creating a 10.9.2 that only lasted a few days, followed immediately by 10.9.3.

Yes, still completely inexcusable though.

dfc888
Premium Member
join:2003-07-22
San Bruno, CA

dfc888 to not quite right

Premium Member

to not quite right
said by not quite right:

And the Apple world is safe once more ... »9to5mac.com/2014/02/25/a ··· l-fixes/

Now they need iOS 7.1 beta update...

GuruGuy
Premium Member
join:2002-12-16
Atlanta, GA

GuruGuy to not quite right

Premium Member

to not quite right
said by not quite right:

And the Apple world is safe once more ... »9to5mac.com/2014/02/25/a ··· l-fixes/

Judging from the comments, it looks buggy.

not quite right
I'm not cool enough to be a Mac person
join:2001-06-23
Puyallup, WA

not quite right to dfc888

Member

to dfc888
said by dfc888:

said by not quite right:

And the Apple world is safe once more ... »9to5mac.com/2014/02/25/a ··· l-fixes/

Now they need iOS 7.1 beta update...

They just need to release iOS7.1 already ...
not quite right

not quite right to GuruGuy

Member

to GuruGuy
said by GuruGuy:

said by not quite right:

And the Apple world is safe once more ... »9to5mac.com/2014/02/25/a ··· l-fixes/

Judging from the comments, it looks buggy.

Works great for me that's all that matters ...
Shady Bimmer
Premium Member
join:2001-12-03

Shady Bimmer to not quite right

Premium Member

to not quite right
said by not quite right:

Not really any need to learn basic networking, and or security to realize that in some aspects, the news of this is over hyped. Please tell us in cold hard numbers how many have been exploited by this flaw that's been around for over a year and half?

Without knowledge of networking and security, especially with respect to SSL, it is impossible to make a statement that this is being over hyped.

You are entitled to your opinion, and you are also entitled to not educate yourself, but please don't pretend to be an expert and tell others they are safe when they are in fact not.

It is not possible to identify how many may have been exploited by this - that is exactly the issue. The exploit would not be directly against SSL but rather would take advantage of the fact that SSL is not providing any protection. If you are unable to grasp this concept then you can not make a statement that this is being over hyped. There are years (perhaps two decades) worth of exploits that would be mitigated by SSL that would now once again be more viable.

Without understanding SSL or the roles it fulfills you can not possibly make statements about the risks involved with this issue.

Teasip
join:2001-05-14
Plano, TX

1 edit

Teasip to TAZ

Member

to TAZ
Probably totally unrelated for reasons that I don't understand, but Safari is extremely slow in loading pages now as compared to G. Chrome. Not sure why this would be.

Update: Looks to be a FiOS issue as outlined in another thread. Safari back up to speed this morning.

not quite right
I'm not cool enough to be a Mac person
join:2001-06-23
Puyallup, WA

not quite right to Shady Bimmer

Member

to Shady Bimmer
said by Shady Bimmer:

said by not quite right:

Not really any need to learn basic networking, and or security to realize that in some aspects, the news of this is over hyped. Please tell us in cold hard numbers how many have been exploited by this flaw that's been around for over a year and half?

Without knowledge of networking and security, especially with respect to SSL, it is impossible to make a statement that this is being over hyped.

You are entitled to your opinion, and you are also entitled to not educate yourself, but please don't pretend to be an expert and tell others they are safe when they are in fact not.

It is not possible to identify how many may have been exploited by this - that is exactly the issue. The exploit would not be directly against SSL but rather would take advantage of the fact that SSL is not providing any protection. If you are unable to grasp this concept then you can not make a statement that this is being over hyped. There are years (perhaps two decades) worth of exploits that would be mitigated by SSL that would now once again be more viable.

Without understanding SSL or the roles it fulfills you can not possibly make statements about the risks involved with this issue.

You seem to be the one trying to come off as some type of expert. When in reality you're most likely someone who just geeks out on their security, and likes to fan the flames of hyperbole because Apple was involved. You can not prove that anyone was exploited any more than I can prove they weren't, so please tell me where expertise comes into play here? I will admit that while networking , or computer security are not of great interest to me, their points are not lost on me either. One does not need to know how electricity works to know a lamp turns on when you plug it in ... Your condescending attitude was neither appreciated nor warranted, I was simply passing on information obtained from known security experts in the field.
Shady Bimmer
Premium Member
join:2001-12-03

Shady Bimmer to TAZ

Premium Member

to TAZ
said by not quite right:

Your condescending attitude was neither appreciated nor warranted, I was simply passing on information obtained from known security experts in the field.

I was not being condescending and did not mean to come across that way.

I was stating facts, having extensive personal knowledge of SSL, networking, and security; having decades of experience in the industry; and having reviewed the known details of the bug. I was refuting your statements that this is being overblown and is not a concern other than on public wifi. This is an incorrect statement that is dangerous advice to give out. By your own admission you do not know the technical details and you are not interesting in learning them, so it is not prudent to keep insisting that this was not a big deal and was only a problem with public wifi.

Experts in fact do agree that this was a serious issue. If you have evidence from security experts (not clueless media) that show this was not serious could you please provide those references?

In any case Apple has now released fixes for Mavericks and everyone should be sure to apply those updates if they have not already done so.

not quite right
I'm not cool enough to be a Mac person
join:2001-06-23
Puyallup, WA

not quite right

Member

said by Shady Bimmer:

said by not quite right:

Your condescending attitude was neither appreciated nor warranted, I was simply passing on information obtained from known security experts in the field.

I was not being condescending and did not mean to come across that way.

I was stating facts, having extensive personal knowledge of SSL, networking, and security; having decades of experience in the industry; and having reviewed the known details of the bug. I was refuting your statements that this is being overblown and is not a concern other than on public wifi. This is an incorrect statement that is dangerous advice to give out. By your own admission you do not know the technical details and you are not interesting in learning them, so it is not prudent to keep insisting that this was not a big deal and was only a problem with public wifi.

Experts in fact do agree that this was a serious issue. If you have evidence from security experts (not clueless media) that show this was not serious could you please provide those references?

In any case Apple has now released fixes for Mavericks and everyone should be sure to apply those updates if they have not already done so.

Update ... 3 days later, the sky hasn't fallen, the NSA isn't reading your Facebook post, and everyone has pretty much forgotten "gotofail" already. Life goes on ...

haroldo
join:2004-01-16
USA

2 edits

1 recommendation

haroldo

Member

said by not quite right:

Update ... 3 days later, the sky hasn't fallen, the NSA isn't reading your Facebook post, and everyone has pretty much forgotten "gotofail" already. Life goes on ...

I'm far from a security expert.
While I agree that this is now yesterday's news, that doesn't mean that this was a trivial matter.
We no longer live in the age where crime is obvious (bank robberies with masked gunmen).
Today's crimes, in many instances can go unnoticed for months or years (just look at Mt. Gox »www.reuters.com/article/ ··· 20140228).
With the prevalence of identity theft, IRS refund theft, charge card data breach, etc., where the individual may never know that they've been the victim, the risk of having one's confidential data exposed is enormous.
While there are no glaring headlines ("...John used an iPhone and had his bank account wiped out because of Apple's 'gotofail' bug") that doesn't mean it isn't/wasn't a problem.
IMHO
Shady Bimmer
Premium Member
join:2001-12-03

Shady Bimmer

Premium Member

said by haroldo:

said by not quite right:

Update ... 3 days later, the sky hasn't fallen, the NSA isn't reading your Facebook post, and everyone has pretty much forgotten "gotofail" already. Life goes on ...

While I agree that this is now yesterday's news, that doesn't mean that this was a trivial matter.
We no longer live in the age where crime is obvious (bank robberies with masked gunmen).

Sadly many do not get this. The general media is a poor indicator of security issues and unfortunately there are those that do not want to understand this. Even more sad is that these are the same individuals that become victims and never know how/why.

Details around NSA access have nothing to do with security and are more related to privacy. Security issues, such as the case here, are far more important since truce criminal activity (read: theft of both one's financial assets as well as one's identity) becomes very viable and completely undetectable (IE: it would never be known and never be publicized).

As long as the public continues to leverage the clueless media as the source of official security-related risks the public will continue to be at serious risk. The true risks are those that more often do not receive significant attention (intentionally)

haroldo
join:2004-01-16
USA

haroldo

Member

said by haroldo:

...
Today's crimes, in many instances can go unnoticed for months or years (just look at Mt. Gox »www.reuters.com/article/ ··· 20140228). ...

Slight hijack, but, I figured, I'd ask.
When ever they discuss Bitcoin in the news, they always show images of real coins (»www.google.com/search?q= ··· imgdii=_)
What are these coins? I always thought Bitcoin was only a digital currency. Are these coins real?
Are these all 'mockups' created for news presentation?
Signed,
Confused

Thinkdiff
MVM,
join:2001-08-07
Bronx, NY

Thinkdiff

MVM,

Mockups. There's no such thing as a bitcoin outside of the internet. I guess it's pretty hard for most people outside of tech to understand, so the media tries to make it seem familiar.

The round symbol with the B w/ double lines is a sort of unofficial logo used on various sites.

haroldo
join:2004-01-16
USA

haroldo

Member

Thanks!
I'll bet some 'slick operators' will try and sell them to those 'unaware'

BeesTea
Internet Janitor
Premium Member
join:2003-03-08
00000

BeesTea to haroldo

Premium Member

to haroldo
There have been a few sources of physical bitcoins.

These guys were the most famous.

»www.casascius.com/

I've held a few an they all had a valid hash imprinted on the coin. Granted, that doesn't prove that it's not in someones wallet as well.

Thinkdiff
MVM,
join:2001-08-07
Bronx, NY

Thinkdiff

MVM,

The physical item in those cases is mostly worthless (unless the coin itself is made out of a material that has value). The virtual coin that it "maps" to is what is valuable.

Like you said, the coin could've been sold to somebody else and you still have your physical, now meaningless "coin". It's akin to printing out your checking account number and saying it's worth 2,000 bucks.