SSL/TLS HTTPS security flaw. Is Vienna affected?

[pan flash]

I'm sure you guys are well aware of this but if not I thought I'd bring it to your attention. There is a security 'bug' in SSL that can allow a security breach.
AFAIK its intrinsically related to SSL use of compression.

All major browsers have taken remedial action [or aren't affected.]

Could you confirm if Vienna is affected and/or if it will be fixed in the next version?

Thanks.

http://arstechnica.com/security/2012/09 ... -sessions/

http://arstechnica.com/security/2012/09 ... erts-warn/

[pan flash]

Anyone?

[barijaona]

I cannot be too assertive, because I am not a security specialist.

According to http://isecpartners.com/blog/2012/9/14/ ... ttack.html , the latest versions of Safari for Mac or Windows aren't affected, because they will not offer compression in SSL.

Contrary to Google Chrome (which had some versions vulnerable because they came with their own version of the Webkit engine), Vienna uses the version of Webkit supplied by Apple. So I tend to think that Vienna is not vulnerable to this vulnerability.

Less specifically, I am happy to see that, at the time of writing, Apple continues to patch Snow Leopard against known vulnerabilities : the latest Security Update 2012-004 was published on September 19th. Leopard users should be more wary, though.

[pan flash]

I'm no security expert either, but what you say makes sense.
Thanks for clarifying.