Did you think that only Windows users had to worry about security issues? While Apple has usually been the more secure and reliably safe platform, recent news about a flaw in their security has changed that perception. According to a new report, Apple users have been susceptible to a man in the middle attack when using Safari (and other applications) on supposedly secure websites.
Oh, and this has been going on since September 2012.
Understanding Secure Websites (HTTPS) and SSL
Retailers, banks, and other online retailers use secure websites — HTTPS (Hypertext Transfer Protocol Secure) — to provide secure transactions. You can tell whether a website is “secure” if it has “https” in its URL and has a small lock symbol next to it.
SSL, or Secure Sockets Layer, is the technology behind HTTPS. SSL creates an encrypted link between a website and your browser and supposedly ensures that all data passed between them remains private.
SSL isn’t perfect. Indeed, just last year, two Internet researchers were able to demonstrate that websites using HTTPS could have their login ID cookies hacked, and recently released documents indicate that the NSA had a hand in weakening the Internet protocols that would make HTTPS more safe.
But Apple’s mistake made SSL even less safe. In a nutshell, Apple’s SSL was unable to verify if the servers your device was talking to was actually who they said they were. This meant that your Apple device was susceptible to a man in the middle attack. While a personal VPN does not necessarily protect from this kind of vulnerability, events like this make everyone realize how important a VPN is overall. For example, Slate writer Phil Plaite wrote about this a few days ago, noting that “whether you use Apple, Windows, or what-have-you, I do suggest getting yourself a VPN. I’m not sure it would’ve helped in this case, but I find it very useful indeed when I travel.”
What Are Man in the Middle Attacks?
A man in the middle attack happens when an attacker within range of a public WiFi network redirects all network traffic through his computer, usually by imitating another WiFi network.
Users have no idea if they are logging into a legitimate WiFi network or a fraudulent one.
The attacker can then eavesdrop on all communication you send (such as your passwords, bank account login information, and any private communication sent to others). They can even change this information before sending it on.
The worst part about a man in the middle attack is that you have no idea that you are being spied upon.
This security flaw affects nearly all iOS and OS users. If you are using an iOS device, you should immediately download version 7.0.6. If you are using an old iPod touch, you can download iOS 6.1.6 instead.
Currently, there is no patch available for OS X users. Your best bet is to use Chrome or Firefox browsers, which do not have the security flaw. Try to stay off of public WiFi networks, or if you have to use them, do not do anything that could lead to the theft of your personal information.
That means do not do any online banking, don’t purchase anything, and don’t send any private information to anyone else.
Below is a list of applications that OS X users should avoid using if accessing a public WiFi network:
- Software update