ESSE, the security team of RISE GmbH, discovered a new critical vulnerability in the ageing TLS (Transport Layer Security) protocol. The vulnerability has been presented at an international IT Security conference. TLS, which is better known as HTTPS (when paired with HTTP), and also known as SSL (Secure Socket Layer), is one of the most important and most used security protocols on the Internet. For example, TLS is widely and worldwide employed by e-banking systems.
The newly discovered weakness allows to open supposedly securely encrypted TLS communication to full-blown Man-in-the-Middle (MitM) attacks: The attack allows hackers to eavesdrop on private communication data and even modify sensitive data arbitrarily while in transit. The work of the security researchers of RISE GmbH closed a crucial security vulnerability. By making the technical details of the attack public, RISE GmbH helps to ensure that the weakness will not resurface in new systems. Among others, Apple’s own TLS library was affected. This allowed an attacker to compromise connections from Apple’s MAC OS X devices to sites such as Facebook. This backdoor has been closed! Facebook has appreciated our efforts with a bug bounty -- a global award.
More information and technical details https://kcitls.org/.