Here's How Apple Avoided Heartbleed

Apple was conspicuously absent from the list of firms impacted by Heartbleed. Was it by accident, or by design?

Apr 16, 2014 at 7:30PM

Apple (NASDAQ:AAPL) earned another feather for its cap last week when it became apparent that iOS and OS X web services were not exposed to the Heartbleed security flaw that affected millions of websites. Over the years, Apple has been criticized for tightly controlling its ecosystem. But this time, it clearly benefited developers and infrastructure managers.

Apple didn't know about the flaw in advance, but it avoided a problem many reputable companies fell victim to, and it did so by being cautious about the lack of controls around open-source updates. Chance favors the prepared.

Heartbleed's vulnerability was from trusting a handshake
Ronald Reagan used the phrase "trust, but verify" when describing foreign policy. That phrase might sum up the issue that recently plagued the open-source community. OpenSSL, is a security protocol that tells your computer and the server what they are connected to. Once the connection is made, they exchange data to make sure the connection is still valid. This extra traffic is known as a heartbeat.

The problem arose from this heartbeat. OpenSSL copies data over an existing array without verifying the length of the packet. Since the server didn't verify that the amount of information being requested matches the size of the request packet, the client can ask for more information than it needs.

To a program, this looks like a mistake, which is probably why it went unnoticed for so long. But it opened the door for hackers to ask for more information than they sent over. For example, if the hacker tells a server that the client sent 10 bits of information, but it actually sent only one, he will get back his one bit of information plus nine other bits of extra data from a prior transaction. The nine other bits of information are random data, but they may contain a password, email address, or bank account number.

Heartbleed has been hidden in OpenSSL for years, but how big a risk it is became apparent only recently. The vulnerability opens the door to hackers tapping huge amounts of data, including passwords, credit card information, addresses, Social Security numbers, etc. 

Apple, the benevolent dictator
Apple has been accused of dictating policy to its development community. But sometimes, tight control can be a good thing, even if it can be frustrating. Apple switched to Common Crypto and "depreciated" OpenSSL in 2011 in an effort to avoid application crashes. The concern at the time was version compatibility between apps and OpenSSL libraries. If an update was pushed out unevenly to users of an application, Apple thought that applications could break as a result of the inconsistencies between versions of OpenSSL. The company described it using the following language:

Although OpenSSL is commonly used in the open source community, OpenSSL does not provide a stable API from version to version. For this reason, although OS X provides OpenSSL libraries, the OpenSSL libraries in OS X are deprecated, and OpenSSL has never been provided as part of iOS. Use of the OS X OpenSSL libraries by apps is strongly discouraged .

Bruce Schneier, a data-security expert and veteran in the financial services industry, described it as a catastrophic bug that ranked 11 out of 10 on the threat scale.  The problem was widespread and not a security indictment of any one firm, as many prestigious companies have been forced to update their software on the fly to plug the leak.

Besides reminding us that a million eyes looking at the same thing can overlook a problem, it also reminds us of a quote from Only the Paranoid Survive: "Anything that can be done in technology will be done."

There's much more to be done, indeed, and you can profit from it
Let's face it, every investor wants to get in on revolutionary ideas before they hit it big. Like buying PC-maker Dell in the late 1980s, before the consumer computing boom. Or purchasing stock in e-commerce pioneer Amazon.com in the late 1990s, when it was nothing more than an upstart online bookstore. The problem is, most investors don't understand the key to investing in hyper-growth markets. The real trick is to find a small-cap "pure-play" and then watch as it grows in EXPLOSIVE lockstep with its industry. Our expert team of equity analysts has identified one stock that's poised to produce rocket-ship returns with the next $14.4 TRILLION industry. Click here to get the full story in this eye-opening report.

David Eller has no position in any stocks mentioned. The Motley Fool recommends Apple. The Motley Fool owns shares of Apple. Try any of our Foolish newsletter services free for 30 days. We Fools may not all hold the same opinions, but we all believe that considering a diverse range of insights makes us better investors. The Motley Fool has a disclosure policy.

1 Key Step to Get Rich

Our mission at The Motley Fool is to help the world invest better. Whether that’s helping people overcome their fear of stocks all the way to offering clear and successful guidance on complicated-sounding options trades, we can help.

Feb 1, 2016 at 4:54PM

To be perfectly clear, this is not a get-rich action that my Foolish colleagues and I came up with. But we wouldn't argue with the approach.

A 2015 Business Insider article titled, "11 websites to bookmark if you want to get rich" rated The Motley Fool as the #1 place online to get smarter about investing.

"The Motley Fool aims to build a strong investment community, which it does by providing a variety of resources: the website, books, a newspaper column, a radio [show], and [newsletters]," wrote (the clearly insightful and talented) money reporter Kathleen Elkins. "This site has something for every type of investor, from basic lessons for beginners to investing commentary on mutual funds, stock sectors, and value for the more advanced."

Our mission at The Motley Fool is to help the world invest better, so it's nice to receive that kind of recognition. It lets us know we're doing our job.

Whether that's helping the entirely uninitiated overcome their fear of stocks all the way to offering clear and successful guidance on complicated-sounding options trades, we want to provide our readers with a boost to the next step on their journey to financial independence.

Articles and beyond

As Business Insider wrote, there are a number of resources available from the Fool for investors of all levels and styles.

In addition to the dozens of free articles we publish every day on our website, I want to highlight two must-see spots in your tour of fool.com.

For the beginning investor

Investing can seem like a Big Deal to those who have yet to buy their first stock. Many investment professionals try to infuse the conversation with jargon in order to deter individual investors from tackling it on their own (and to justify their often sky-high fees).

But the individual investor can beat the market. The real secret to investing is that it doesn't take tons of money, endless hours, or super-secret formulas that only experts possess.

That's why we created a best-selling guide that walks investors-to-be through everything they need to know to get started. And because we're so dedicated to our mission, we've made that available for free.

If you're just starting out (or want to help out someone who is), go to www.fool.com/beginners, drop in your email address, and you'll be able to instantly access the quick-read guide ... for free.

For the listener

Whether it's on the stationary exercise bike or during my daily commute, I spend a lot of time going nowhere. But I've found a way to make that time benefit me.

The Motley Fool offers five podcasts that I refer to as "binge-worthy financial information."

Motley Fool Money features a team of our analysts discussing the week's top business and investing stories, interviews, and an inside look at the stocks on our radar. It's also featured on several dozen radio stations across the country.

The hosts of Motley Fool Answers challenge the conventional wisdom on life's biggest financial issues to reveal what you really need to know to make smart money moves.

David Gardner, co-founder of The Motley Fool, is among the most respected and trusted sources on investing. And he's the host of Rule Breaker Investing, in which he shares his insights into today's most innovative and disruptive companies ... and how to profit from them.

Market Foolery is our daily look at stocks in the news, as well as the top business and investing stories.

And Industry Focus offers a deeper dive into a specific industry and the stories making headlines. Healthcare, technology, energy, consumer goods, and other industries take turns in the spotlight.

They're all informative, entertaining, and eminently listenable ... and I don't say that simply because the hosts all sit within a Nerf-gun shot of my desk. Rule Breaker Investing and Answers contain timeless advice, so you might want to go back to the beginning with those. The other three take their cues from the market, so you'll want to listen to the most recent first. All are available at www.fool.com/podcasts.

But wait, there's more

The book and the podcasts – both free ... both awesome – also come with an ongoing benefit. If you download the book, or if you enter your email address in the magical box at the podcasts page, you'll get ongoing market coverage sent straight to your inbox.

Investor Insights is valuable and enjoyable coverage of everything from macroeconomic events to investing strategies to our analyst's travels around the world to find the next big thing. Also free.

Get the book. Listen to a podcast. Sign up for Investor Insights. I'm not saying that any of those things will make you rich ... but Business Insider seems to think so.


Compare Brokers