So if you're on Mavericks and left hanging, there are some evasive actions you can take.<p>As others have pointed out, Firefox and Chrome are not vulnerable. But what else may be relying on the system SSL implementation? Your IM client? Various software updaters? Dropbox? Skype? Etc.<p>Rather than guess, I'm whitelisting only the things I trust. I'm using the pf firewall to block all outbound connections other than DNS and SSH, using SSH to open a SOCKS proxy tunnel, and configuring Firefox to use the proxy (<i>not</i> via the system proxy settings -- via Firefox's own proxy config, so other apps don't know about it and can't get out).<p>A simpler solution for those who want to buy a commercial product would be to install Little Snitch and start with a completely empty list of approved apps, then turn on only Firefox.
It's becoming quite a chore to keep your computer and online accounts secure. I'm in the industry; anyone who is not is probably a babe in the woods these days.
You can already do this here - <a href="https://www.imperialviolet.org:1266/" rel="nofollow">https://www.imperialviolet.org:1266/</a><p>On OSX Firefox and Chrome fail and Safari happily loads it. Yay for not using system crypto libraries.
Anyone who thinks Chrome and Firefox are safe from this bug doesn't understand the issue. SecureTransport is used for updating software. So an attacker could trick you into installing a malicious update to Chrome, FireFox, or for that matter anything on your system. They could even slip in malware under the guise of a patch that purportedly fixes this bug. Using alternative browsers does NOT completely protect you.
Using the program Little Snitch on OS X 10.8 now to block everything except Firefox (recommended by u/ef4 here)- successfully helped Safari pass this browser test.<p>Can anyone else comment on if this is a decent solution?
I'm seeing a positive (yes the bug is there) on all my Apple devices, including my OSX laptops - laptop sees the bug IF and only IF I browse using Safari. Chrome and FF browse to your page fine on the laptop.<p>I've not seen any information about fixing this issue on OSX. Have I just missed it in the noise about the iOS fix?
I use a filtering proxy which uses OpenSSL and it just reports "socket error" in the log and retries the connection around a dozen times before it gives up, so it seems I'm not vulnerable; non-Apple software isn't affected by this?
Can anyone confirm this on an iOS 6 device? I don't have of those anymore. Good news is iPad running 5.1.1 is not affected, which <i>almost</i> leads me to believe this vuln was introduced with iOS 7
For HTTPS clients that don't execute Javascript (e.g. curl), GET <a href="https://gotofail.com:1266/" rel="nofollow">https://gotofail.com:1266/</a>
I can confirm that this is fixed in 10.9.2 (Since the first build of it). From the looks of things (and some friends in the Mavericks dev group), the final 10.9.2 should be dropping very soon
I get the red "PATCH IMMEDIATELY" in safari, where is the patch???
after a bit of research this looks like a good old UX fail since there is no patch yet anyways. Don't write something in red if there is no path to a solution.