heartbleed ssl bug

The New York Times, Reuter and AP News all reported the vulnerability in OpenSSL to heartbleed (CVE-2014-0160). The allows an attacker to get memory dumps with all kinds of data. This is bad. But what about Apple OSX?


A careful read of the article shows that it states that the version OpenSSL 0.9.8 is not vulnerable. I checked my Apple Mac osx 10.8 and osx 10.9 servers which show OpenSSL 0.9.8y and they are alright. But this is not an official statement by Apple, inc of course, so you had better check yourself. Here is how, just in case you run a secure website:

In Applications > Utilities > Terminal

Type or paste

openssl version -a

and hit the <enter> key. Look at the first line which will give you the version. Compare this with the heartbleed article (about half way down the page). 


So Apple users are OK? No, we are not. We interact with other websites which collect some information (Username and password). These websites might have been compromised in the past or are still compromised. As such, these sites might have leaked user information and more. Even if those websites are updated, the attack can still possess your username and password. So you should change those passwords. 


Is there a way to see which websites are safe? No there is not, without initiating the attack itself. Which we can not recommend... but here is how.