Q: How does gotofail.com work?

When you open gotofail.com some javascript runs that scans your user agent string to find out what browser and OS you're using. That information is used to classify you into one of several categories based on your detected OS/browser combination. The classes are:

Q: Can you explain like I'm five how the bug works?

Normal SSL/TLS:

SSL/TLS with a vulnerable Apple product:

Q: What versions iOS are vulnerable?

iOS 6 from 6.0 to 6.1.5, iOS 7 from 7.0 to 7.0.5 and some beta/prerelease builds of 7.1.

Q: What versions of OS X are vulnerable?

10.9, 10.9.1 and some beta/prerelease builds of 10.9.2.

Q: Why do I get a yellow warning in Chrome/Firefox but green in Safari?

Firefox only provides the major release number, for example 10.9 or 10.8, in the user agent string. You'll also see this with Chrome on iPhone if you're jailbroken and have an unofficial patch. In either case, trust whatever message is shown in Safari.

Q: Why are my results wrong if I spoof my user agent string?

The result message mention scanning your operating system and browser version, if you are spoofing your user agent string that should cue you to temporarily disable spoofing.

Q: What does the backend look like?

Everything is static content to ensure that the load doesn't become a problem. The web server is vanilla nginx with a patched version of OpenSSL.

Q: Can I have the OpenSSL patch?

Save as 'gotofail.c'
To build:
gcc -shared -fPIC -o libgotofail.so gotofail.c
To use:
#define _GNU_SOURCE
int X509_check_private_key(void *a, void *b) { return 1; }