Apple IOS 7.1.1 Fix Triple Handshake SSL Flaw
Page 1 of 1
Apple is updating its iOS mobile operating system, the OS X desktop operating system and the firmware on the Airport WiFi access point for security vulnerabilities with a series of security updates released on April 22.
Among the patched issues, several affect both iOS and OS X, one of which is a fix for the so-called "triple handshake" attack, identified as CVE-2014-1295.
"In a triple handshake attack, it was possible for an attacker to establish two connections that had the same encryption keys and handshake, insert the attacker's data in one connection and renegotiate so that the connections may be forwarded to each other," Apple warned in its advisory. "To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection."