Transport Layer Security version 1.3, which was finally approved for use in August of last year and hailed as ‘mak[ing] all secure internet connections faster and safer’ has been found to be vulnerable, allowing attackers to break the security offered and read private Internet traffic.
TLS is a vital part of the contemporary Internet ecosystem, providing encryption for everything from HTTPS Web traffic to email.
The vulnerability, published by researchers from a range of universities and security companies, relies on a combination of a downgrade attack (abusing TLS’ backwards-compatability to force a target to use TLS 1.2 instead), followed by a side-channel leak.
Having ‘tested nine fully patched implementations of various RSA-based security protocols’, the researchers found that ‘only…two could not be successfully attacked by our new techniques’.
The vulnerability is expected to be patched soon, and all enterprises and users are advised to update as soon as it is made available.