more info on the tls/ssl mitm attack

Some more information is slowly getting out about the TLS/SSL MITM attack via an “authentication gap” that was disclosed yesterday. As I somewhat inferred from the original details, this has limited potential (usually against connections utilizing client certs) and does not result in snifing traffic. As I somewhat expect with what limited confirmed info is out there, this is not a big deal to most, but may be a big deal to smart card vendors. As mentioned in the linked article, SOAPs and other web service connections may also be susceptible.

Even without the huge public risk in this, those three mentioned issues at the end may still be pretty important, especially if someone weaponizes and scripts it out for easy use to usurp connections or inject Bad Things (inject, POST, follow-up with GETs?).

Props to the security community on Twitter for being such an insanely great way to spread news on issues quickly. The above link I saw from the Taosecurity tweets.