HFAIT - SSL/TLS Protocol Borked
Fun times hitting the news feeds today.
The IETF has apparently been working on a fix to the SSL protocol for the last 2-3 months in secret, due to a vulnerability disclosed privately which can allow SSL sessions be intercepted and the data within these streams, manipulated. I can has your sensitive data now plz?
Since this is a protocol level flaw, it’s going to affect nearly ever implementation across every OS, version, app and so on. Now that it’s out in the open though, it’ll be months (and in some cases, probably never) before patches are developed, tested, released and then run through every company’s patch management process (for those of you lucky enough to have such a fantastical thing).
Those small embedded devices with SSL interfaces though, may never be patched, and that totally depends on the vendor’s maturity and responsiveness to these sorts of releases. This’ll be one of the flaws that we’ll still find a decade from now in vulnerability assessments.
Happy Friday!
