What Apple's Goto Fail Security Bug Means to You

Safari in OS X Mavericks may not be as secure as you think, especially if you surf the Web in public places like coffee shops or at school. A serious flaw in the code Safari and Mail use, called the Goto Fail Bug, could expose data you'd rather keep private -- like passwords and banking information -- and even let hackers intercept your email. Apple promises a fix is coming, but until then it's up to you to practice safe browsing habits to help avoid accidentally exposing your personal information online.

Safari's Goto bug could expose your Web surfing to hackersSafari's Goto bug could expose your Web surfing to hackers

As The Mac Observer reported earlier, Apple updated iOS 7 to 7.0.6, the reason being “This security update provides a fix for SSL connection verification.” While this sounds like a good thing to those who aren’t security-minded, in that who wouldn’t want their connection to be verified, this wording raised all sorts of alarms in security circles. The vulnerability has been dubbed Goto Fail due to the C code being executed when it shouldn't.  

This is because TLS (Transport Layer Security) and its predecessor, SSL (Secure Sockets Layer) provide two very important services. The first is security, in the form of encryption, that scrambles the data you send over your network so that others can’t view it. The second, and what this bug involves, is authentication, also known as verification, in that you trust the system that you’re exchanging data with is who it says it is.  

This authentication is done via what’s known as a digital signature, using a technology called public key encryption. A signature is created with a private key, which is a piece of data that only the owner of a system and corresponding certificate should possess, and verified with a public key, which is stored on your computer. The problem is that if a signature isn’t verified when a SSL/TLS connection is established, there’s the potential for someone to launch what is known as a “man in the middle” attack, which means they could monitor your network traffic without your knowing it.

The concern is that while Apple has patched this vulnerability in iOS 6, iOS 7 and Apple TV 6, as of this writing it hasn’t yet patched OS X 10.9.x, which shares the same security code as iOS. To see if your browser is vulnerable, you can use the Goto Fail Browser Security Check.

At this point, Safari is vulnerable, but other browsers, such as Firefox and Chrome, which don’t use Apple’s SSL/TLS implementation, are not. But this isn’t just a matter of using a different browser, since other pieces of Apple software, such as Mail.app, also use their SSL/TLS implementation.

What can you to do reduce the risk of your data being compromised? Avoid using public Wi-Fi. If you must use it, consider using a VPN (Cloak is a fine choice for OS X and iOS) to provide an additional layer of security for your network connection. If you send sensitive data via email, consider using S/MIME or GPG to encrypt and sign your email.  If you're really worried, use an earlier version of OS X, since only Mavericks looks to be vulnerable per Vulnerability Summary for CVE-2014-1266.

And try not to panic, at least not until you've found your towel. This bug will not send all of your confidential data to the criminals of the world, but it certainly makes it easier for those with the right tools.