[cantfindmypass]

I just made this - it'll tell you if you're vulnerable.

https://gotofail.com/

Not very well tested, please let me know if it works for you. If you're on OS X Mavericks or on iOS 7 and haven't patched you should get big scary red text.

Edit: posted here https://news.ycombinator.com/item?id=7282164

[plg]

"If you're on OS X Mavericks or on iOS 7 and haven't patched"

how do I patch on OS X Mavericks? Software update shows nothing to update

[cantfindmypass]

There is no patch for Mavericks out yet. :-(

[plg]

I thought Apple's policy was to not release these sort of security notices until a fix was in place?

[cdcarter]

That's partially why people are so upset. Mavericks is still very much vulnerable to a publicly acknowledge bug with many PoCs out.

[balls187]

> how do I patch on OS X Mavericks

Install Ubuntu.

I kid, I kid.

[adsr]

The article contains a similar test: https://www.imperialviolet.org:1266

[cantfindmypass]

I wanted to make something that gives something a little more useful than an error page if you're safe.

[adsr]

Fair enough, and there's now two alternatives to confirm with.

[cantfindmypass]

I just noticed that his works differently than mine.

[rdl]

Your checker doesn't work well with curl, btw -- you end up seeing both the not vulnerable AND the vulnerable (alt text) messages.

[cantfindmypass]

There's not a whole lot I can do about that without adding a lot of complexity. You could try downloading https://gotofail.com:1266/test.png I suppose.

[Jayschwa]

curl https://gotofail.com:1266/

Client's that aren't vulnerable should flip out when trying to load that.

[ldarcyftw]

Safari/iOS 4.3.3: not vulnerable Safari/i0S 7.0.4: VULNERABLE Chrome/iOS 7.0.4: not vulnerable

Looks like using Chrome instead of Safari may help; I'd say it would be more interesting if standard mail client can be fooled.

[cantfindmypass]

I would be shocked if this doesn't apply to the email client as well.

[apaprocki]

I noticed a while ago that while Safari supports TLS 1.2, but Mail does not. So somewhere in the implementation they are using different code. (Not agreeing or disagreeing, just mentioning an observation.)

[pronoiac]

This also impacts iOS 6; there's an update available.

[SyneRyder]

Is it possible to get the iOS 6 update if your device supports iOS 7? iTunes only offers the 7.0.6 update.

[pronoiac]

Yes, I did it this morning. Look for the update from your phone, so it's a smaller download anyway. It takes more room than they ask for, maybe 750 meg. I just temporarily deleted some podcasts to make room.

[gergles]

Safari on 10.8.5 is not vulnerable. Way to go, slow corporate adoption schedule!