Posted on 04/08/2014 6:13:21 PM PDT by Drago
From your link (THANKS!)
All good, us-mg6.mail.yahoo.com seems not affected!
“The way I understand it, OSX still uses version 9, version 9.6-10.2 has the leak. If an instance of 9 on the host sync’s up with 9 on OSX where’s the problem.”
No. You don’t understand.
Short summary - your data is vulnerable, your Mac is not immune.
This exploit is not a Mac exploit, it’s an OpenSSL exploit. Do you know what those words mean? Mac and OpenSSL? Mac is the obsolete and obscenely overpriced computer that some bright marketers repackaged in order to sell to technophobes - OpenSSL is a piece of software used by some websites to encrypt information.
Why do you mistakenly think your Mac, or your operating system, can protect you from flaws in the software that Yahoo and other websites use to store information or communicate with you?
Let me explain it from your end. When you turn on your computer and open your web browser, you can communicate with other computers in the world. The websites you visit, like Free Republic and Yahoo, are actually files located on the harddrives of other computers.
When you log in to a website in order to purchase something, or log in to an account in order to email someone or post on a discussion board, those other computers that are hosting those sites and services use encryption software in order to communicate private details with your computer.
OpenSSL is one of the types of encryption software used to communicate encrypted information (passwords, credit card numbers, etc.).
However, there’s a problem, one of the types of software used to encrypt user data and communications has a flaw. That flaw is unrelated to the problem Mac users had a few months back, when their Macs basically went around screaming to everyone that was listening “HEY EVERYONE! Look at what this guy is trying to encrypt!”
The fact that a few months back your crappy, obsolete, overpriced idiot-box wasn’t even bothering to properly use encryption for communication of sensitive information is totally and completely unrelated to the fact that one of the pieces of software people can use to encrypt information has a flaw in it.
Your operating system has nothing to do with the software Yahoo and other sites have installed on their own machines.
Nor does a patch to your Mac meant to get it to use encryption properly in the first place do anything whatsoever to fix any flaws encryption method or the software used to communicate encrypted information.
The fact that a few months back anyone in the world could view what a Mac user was doing (because the Mac wasn’t even really bothering to encrypt anything) is totally and completely unrelated to the fact that encryption can be broken. Apple may have come along and gotten your overpriced, obsolete piece of technology-for-the-technically-challenged to finally use encryption, but there’s a flaw in some of the encryption software out there.
Oh don’t get me wrong, this is a significant exploit, but I was responding to the assertion that virtually all net traffic would become readable.
OpenSSL is used by linux-folks like us (I’ve already updated my slackware boxes) and a fraction of webservers - as you said often but not exclusively Linux-based webservers (and automated cat treat machines, sadly). That’s a far cry from all net traffic, though it still remains a significant exploit - especially for the cats.
This will result in a number of costly problems, but most M$ and Mac users out there aren’t going to be seeing it manifest personally, and are just going to be experiencing their web-services updating their software and shuffling around user-logins - most of what they’re going to have to be doing will likely be related to user-prompts and password changes popping up once sites start trying to sort out the mess of potentially compromised private master keys, potentially compromised session cookies, and spoofed site certifications.
On the admin side this is one hell of a hairball to sort out.
Some people are born as arrogant pricks, they make up for a defective personality by making their opinions sound important.
I was responding to the assertion that virtually all net traffic would become readable.That certainly wasn't an assertion that I made. The point I was making is that the site owner won't necessarily know whether or not his private key was stolen, and end users won't know whether a HTTPS site they are visiting has had it's key stolen. You can patch your software to remove the vulnerability, but the horse has already left the barn.
Thanks. Looks like my sites at InMotion are vulnerable. Good thing I’m not doing any commerce on them.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.