Apple’s SSL/TLS Bug

Adam Langley explains, largely in layman’s terms. You don’t need to understand cryptography at all, it’s a simple C bug. He’s also set up a simple test site to show if you’re affected — iOS 7.0.6 indeed is not, but Mac OS X 10.9.1 is. I expect a similarly focused Mac OS X security update imminently.

I’ve seen speculation that this may well be a bug that has been exploited by the NSA, and that it was uncovered by an internal Apple code review after seeing certain of the Snowden slides suggesting the NSA’s ability to intercept encrypted traffic. The tell-tale sign that it was uncovered internally: there’s no credit for reporting the issue on Apple’s security notice.

(I don’t want to start a coding-style war, but I think this bug would not have happened if the code had been written using curly braces after the if statements.)

Update: Landon Fuller (remember him?) argues that this bug should have been caught through unit testing.

Saturday, 22 February 2014