Yep, you are correct.
For this nasty SSL bug ArsTechnica does a nice job explaining it:
Essentially the bug basically makes it so the SecureTransport encryption layer on the Mac don't the certificates of incoming or outgoing requests. You can fill the cert with junk and it still accepts. Leaves you open to man-in-the-middle attacks. Any online banking,...