A serious flaw in Transport Layer Security (TLS) protocol was recently brought to light via the Internet Engineering Task Force (IETF) mailing list (archive).
TLS is the most common data security protocol on the Internet primarily used to encrypt online HTTP nagotiations, such us online banking and commercial transactions, and to secure online services, such us email and database access. The vulnerability was identified by the researchers at Phonefactor as ‘SSL/TLS Authentication Gap‘. The vulnerability allows an attacker to inject himself, in a number of serious Man-In-The-Middle (MITM) attacks, into the authenticated SSL communication path. This could be done without either parts of the negotiation (client-server) being able to detect the attack.
