"What’s a Man in the Middle Attack?
A Man in the Middle Attack, which we’ll call MitM from here for brevity’s sake, is basically high-tech eavesdropping. A MitM attacker intercepts the communication between your browser and a site, monitoring, recording, seeing everything that transpires between you.
Gmail. Facebook. Financial transactions. OK Cupid flirting. All of it read, in real-time, by a complete stranger. Here it is in oversimplified chart form:
Normally attacks like this are are foiled by SSL/TLS (encrypted handshakes are hard to get in the middle of), or at least rendered too difficult to be worth it. But this Apple bug makes it painfully easy. That "privileged network position" an attacker needs to be in, referenced in the release notes? That just means he’s in the same Starbucks as you.
And this has been going on since September. Of 2012.
How Serious Is It?
If you’re still scratching your head over what all of this means and how bad it is, the simplest way to explain it is that developers who understand it deeply weren’t even willing to talk about it openly, for fear of giving hackers more ammunition than they already had:
I’m not going to talk details about the Apple bug except to say the following. It is seriously exploitable and not yet under control.
— Matthew Green (@matthew_d_green) February 21, 2014
Ok, yes, the iOS/OS X bug does break SSL completely. Like @matthew_d_green I’m going to keep quiet. Patch quickly.
— Adam Langley (@agl__) February 22, 2014
Dear everyone: do *not* use Safari until Apple patches their SSL code in Mac OS X. Man-in-the-middle exploits are already in the wild.
— Nick Sullivan (@grittygrease) February 22, 2014
— ashkan soltani (@ashk4n) February 22, 2014"