from http://gizmodo.com/why-apples-huge-security-flaw-is-so-scary-1529041062

"What’s a Man in the Middle Attack?

A Man in the Middle Attack, which we’ll call MitM from here for brevity’s sake, is basically high-tech eavesdropping. A MitM attacker intercepts the communication between your browser and a site, monitoring, recording, seeing everything that transpires between you.

Gmail. Facebook. Financial transactions. OK Cupid flirting. All of it read, in real-time, by a complete stranger. Here it is in oversimplified chart form:

Why Apple's Recent Security Flaw Is So Scary

Normally attacks like this are are foiled by SSL/TLS (encrypted handshakes are hard to get in the middle of), or at least rendered too difficult to be worth it. But this Apple bug makes it painfully easy. That "privileged network position" an attacker needs to be in, referenced in the release notes? That just means he’s in the same Starbucks as you.

And this has been going on since September. Of 2012.

How Serious Is It?

If you’re still scratching your head over what all of this means and how bad it is, the simplest way to explain it is that developers who understand it deeply weren’t even willing to talk about it openly, for fear of giving hackers more ammunition than they already had:

I’m not going to talk details about the Apple bug except to say the following. It is seriously exploitable and not yet under control.

— Matthew Green (@matthew_d_green) February 21, 2014

Ok, yes, the iOS/OS X bug does break SSL completely. Like @matthew_d_green I’m going to keep quiet. Patch quickly.

— Adam Langley (@agl__) February 22, 2014

Dear everyone: do *not* use Safari until Apple patches their SSL code in Mac OS X. Man-in-the-middle exploits are already in the wild.

— Nick Sullivan (@grittygrease) February 22, 2014

.@grittygrease @csoghoian It’s not just Safari — using any Mail.app, iCal, or any service that relies on TLS on the iPhone/Mac is vulnerable

— ashkan soltani (@ashk4n) February 22, 2014"

rest at http://gizmodo.com/why-apples-huge-security-flaw-is-so-scary-1529041062

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s