... in more ways than one.
Apple rushes to fix glaring security flaw: 'As bad as you could imagine'Why is this just now coming to light — especially in this forum?!
And what's the best way of protecting one's online time?
I found out about it earlier,
here.
I'm running
DNSCrypt, and my deuced Mac(hina) passes the
test to which the article links.
Edit: Nope! I just turned DNSC off and quit/relaunched Safari, and I'm still "protected". (Safari 5.1.10)
Hmmm... I dunno.
Merci, artie.
I'm running Firefox and according to
https://gotofail.com/ it's safe.
Hotcha!
Per the CNET article: "Therefore, until a fix is released you might consider downloading and using Firefox, which has been deemed safe from this bug."
Other articles have pointed out that to exploit the bug, someone must be on the same local network as you. The article advised caution with (i.e., avoid!) free access networks and local hotspots.
If you really want to be paranoid, check out
this article, which talks about the proof-of-concept malicious app that can unknowingly recorded screen taps on your iDevice.
In the rush to tout the severity of the bug, it appears that the tech media generally have done a poor job of explaining the issues.
First, it's not a flaw in Safari; it's a flaw in the handling of SSL by multiple Apple apps, including Mail. Changing browsers removes the vulnerability only when browsing, but an unpatched system is still vulnerable through these other apps.
Second, with respect to OS X, only systems running Mavericks—10.9.1 or 10.9.2—are affected. You folks on Snow Leopard, Lion or Mountain Lion are unaffected, and the 10.9.2 update patches the problem for Mavericks users.
Third, the vulnerability, as Ira points out, is limited to shared networks. That's a big deal with mobile devices, but not quite as wide an exposure for those of us using Macs on private networks in our homes.
Security updates for OS X (Mavericks 10.9.x, Mountain Lion 10.8.x, Lion 10.7.x) are now available on the Apple Support website.