I can’t say for sure whether the National Security Agency had anything to do with this Apple security flaw but it is certainly something the NSA could readily exploit. All the Agency needed to do is control a router between its target and the target’s destination and it would have clear view of the supposedly encrypted traffic.
I’ve said it before and I’ll say it again: America no longer has a monopoly on world-class cryptographers (if it ever did). By encouraging these types of flaws, our government leaves us vulnerable to attacks from foreign nations. Instead, our cryptographers should be working to make American software as secure as it can be.
I hope Apple will track down the developer responsible for this colossal blunder and fire him or her on the spot.
SSL stands for Secure Sockets Layer, and it’s what helps ensure that communication between your browser and your favorite websites’ servers remains private and secure. TLS, or Transport Layer Security, is a more recent protocol that does essentially the same. In brief, SSL/TLS is a cryptographic key that lets a browser and a server know they are who they say they are, a secret digital handshake that keeps your financial information safe when you make an Amazon payment or log into wellsfargo.com.
This all happens in the background; your only direct interaction with SSL/TLS is when you notice the lock icon in your search bar has clamped shut. That means you’ve got a direct, private, secure line.
The Apple bug in question—which, again, has been patched in iOS but not yet in OS X, though Apple tells Reuters that fix is coming "very soon"—means that Safari or one of these other affected applications can’t actually know for sure if the servers it’s talking to are who they say they are. Which leaves you and everything you transmit over the web vulnerable to a Man in the Middle attack.