Apple hole leaves OSX management open to snooping

A detailed article from (Macintosh server administrator's website) gives a pretty disturbing description of a problem that has been around in OSX for a while.

The good news: it was finally fixed in the September 30, 2004 security patch.

Those of you doing insecure management of OSX Servers (i.e. without using a VPN or physically-controlled network for administration) may want to change your passwords. Although the Apple servermgrd (the server management daemon) uses SSL to encrypt data sent to it, the certificates had not previously been generated individually for each server. As such, every copy of OSX Server sold had a copy of the key necessary to decrypt the communication, including the administrator password.

Unfortunately, adding insult to injury, Apple decided to use Basic authentication instead of Digest authentication, so if somebody decided to use a packet decoder that takes a key in and decodes HTTP sessions using it (such as SSLDump) you would be able to watch the entire session, including the password exchange.

So, if you have copies of server, do those updates now!