Q: is airport extreme vulnerable to heartbleed

All the information about Heartbleed vulnerabilities concerns server use.

There have been scattered reports about other equipment that use OpenSSL, but no details on how that could be attacked to obtain anything.

Nobody I have spoken with believes that OpenSSL is used by the operating systems of any Apple equipment, include Airports.

May be you're right, but why you find in the aknowlegments of iTunes and Airport openssl?

Massimo Lombardo wrote:

 

why you find in the aknowlegments of iTunes and Airport openssl?

I did run across one person who had an Airport Extreme that they thought might be vulnerable after I posted the above and it turned out that he was correct.

Nothing has been acknowledged concerning iTunes vulnerability.

Maybe I'm wrong, but I have no idea which components are build behind iTunes (and the iTunes-Store "secure connections"), Airport or iPhoto that also make a "secure connection" to allow to buy Photoprints, Photobooks etc.

I only know, that a reference to openssl was find in the acknowledgments of iTunes. When I made my question this about @ Apple support they cannot give any exhaustive answer when I speak about security.

Another problem are the Developer Suites (see Ruby) where you may have installed also other Versions of openSSL. I made a locate for openssl and a locate for the single libs that are used by the openssl 1.0.1 to 1.0.1f and changed this with the 1.0.1g of them ... manually, after a tested compilation from code of 1.0.1g.

Sure is sure.

But I'm not so good, as Filippo Valsorda (https://filippo.io) that wrote that is deep in cryptography and wrote the first pyton  script to test a https connection for heartbleed vulnerability.

I think, we must be always careful if it is a good idea to let make all "automatically" from the computers, if is it a good idea to store sensitive informations over the internet ...

Massimo Lombardo wrote:

 

Maybe I'm wrong, but I have no idea which components are build behind iTunes (and the iTunes-Store "secure connections"), Airport or iPhoto that also make a "secure connection" to allow to buy Photoprints, Photobooks etc.

I have some doubts along these lines myself because I have not seen anything officially from Apple with regard to this, but it has been widely reported that:

“Apple takes security very seriously. ... key Web-based services were not affected,”  an Apple spokesperson told Re/code.

So if this is true it would have to cover iTunes and iPhoto purchases. There are still many unexplained reports of Credit Card fraud involving iTunes, but those date back to way before iTunes was using secure connections, so I can't see any connection. The use of Akamai's network to distribute files could have something to do with this, but I don't see any reason for that network to have access to either user credentials or credit card information, so even though Akamai did have a HeartBleed problem for an extended period, it's not clear that this plays a part in the situation.

I only know, that a reference to openssl was find in the acknowledgments of iTunes.

I don't know what you mean by this. What acknowledgements are you referring to? Please provide a link.

Another problem are the Developer Suites (see Ruby) where you may have installed also other Versions of openSSL. I made a locate for openssl and a locate for the single libs that are used by the openssl 1.0.1 to 1.0.1f and changed this with the 1.0.1g of them ... manually, after a tested compilation from code of 1.0.1g.

Sure is sure.

Not sure I'm following you, but I think you are saying that third party software may install a vulnerable version of OpenSSL on your computer and I agree. I had an application from MacPorts which had done this and it was updated to 1.0.1g the same day it was released, but that required me run the update routine in order to fix it.

But I'm not so good, as Filippo Valsorda (https://filippo.io) that wrote that is deep in cryptography and wrote the first pyton  script to test a https connection for heartbleed vulnerability.

Yes, and I applaud his aggressiveness in making that script quickly available to users, but it has been found to be somewhat inadequate: What's worse than Heartbleed? Bugs in Heartbleed detection scripts so I only use Qualys SSL Labs tests now.

MadMacs0 wrote:

 

Massimo Lombardo wrote:

 

I only know, that a reference to openssl was find in the acknowledgments of iTunes.

I don't know what you mean by this. What acknowledgements are you referring to? Please provide a link.

Another problem are the Developer Suites (see Ruby) where you may have installed also other Versions of openSSL. I made a locate for openssl and a locate for the single libs that are used by the openssl 1.0.1 to 1.0.1f and changed this with the 1.0.1g of them ... manually, after a tested compilation from code of 1.0.1g.

Sure is sure.

Not sure I'm following you, but I think you are saying that third party software may install a vulnerable version of OpenSSL on your computer and I agree. I had an application from MacPorts which had done this and it was updated to 1.0.1g the same day it was released, but that required me run the update routine in order to fix it.

But I'm not so good, as Filippo Valsorda (https://filippo.io) that wrote that is deep in cryptography and wrote the first pyton  script to test a https connection for heartbleed vulnerability.

Yes, and I applaud his aggressiveness in making that script quickly available to users, but it has been found to be somewhat inadequate: What's worse than Heartbleed? Bugs in Heartbleed detection scripts so I only use Qualys SSL Labs tests now.

You can find (simply using spotlight) the meaned Acknowledgements under

/Library/Documentation/Applications/iTunes/Acknowledgements.rtf

Also you can find Ruby in /System/Library/Frameworks, or Developer Packages if you have installed the Developersuite of Apple.

I mean, that sometimes there are many openssl (or software-packages) installed on the same system an they are called not central, but from Frameworks or single Software packages that use only the dedicated / implemented version of that.

But the real problem are the 20 months during the wildness when bigbrothers had time and tech enough to list&save encryption keys, certificates and all what they need to rebuild a saved connection!

Massimo Lombardo wrote:

/Library/Documentation/Applications/iTunes/Acknowledgements.rtf

That same information is contained in /Library/Documentation/Acknowledgements.rtf, but it's meaningless if you accept what Apple pointed out back in February in Transmitting Data Securely:

...although OpenSSL is commonly used in the open source community, it does not provide a stable API from version to version. For this reason, the programmatic interface to OpenSSL is deprecated in OS X and is not provided in iOS. Use of the Apple-provided OpenSSL libraries by apps is strongly discouraged.

Also you can find Ruby in /System/Library/Frameworks, or Developer Packages if you have installed the Developersuite of Apple.

To verify the version of OpenSSL currently installed with Ruby, use the following Terminal Command:

ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'

Mine comes back with OpenSSL 0.9.8y 5 Feb 2013