Application Layer Protocol Confusion – Analyzing and Mitigating Cracks in TLS Authentication?
You can see why the researchers from the three universities which discovered this new flaw in TLS quickly picked an acronym that will stick; if they hadn’t you can bet someone else would. Unfortunately the moniker is the only cute thing about this post, there are well over a million webservers that are currently vulnerable to this attack. The flaw is not easy to take advantage of, but then again it is not easy to fix as it rises from a combination of programs and protocols.
The steps required to resolve the issue will also mean breaking legacy applications, to mitigate the base vulnerability Application Layer Protocol Negotiation and Server Name Indication extensions will need to move to TLS traffic. This suggests that the flaw will be with us for a bit.
Academics from three German universities have found a vulnerability in the Transport Layer Security (TLS) protocol that under limited circumstances allows the theft of session cookies and enables cross-site scripting attacks.