Earlier this week Apple released iOS 4.3.4 to fix the jailbreak method of jailbreakme.com. But now nakedsecurity advice us to update to iOS 4.3.5 as fast as possible: “Moxie Marlinspike posted a message on his blog yesterday announcing an update to a tool called sslsniff. The sslsniff tool has been around for quite some time (nine years!) and allows users to easily perform man-in-the-middle attacks against SSL/TLS connections. The new version of sslsniff knows how to identify vulnerable Apple devices and allows anyone to snoop on secure communications.”

“Yes, you read that correctly. The flaws in iOS 4.3.4, 4.2.9 and 5.0b3 and lower are a lot more serious than Apples description of their fix: “This issue is addressed through improved validation of X.509 certificate chains.””

Oddly the flaw in iOS was a widespread flaw in WebKit and Microsofts CryptoAPI nine years ago. It allows any valid certificate purchased from a Certificate Authority to sign any other certificate, which the client device will then consider valid.

This allows anyone who can capture traffic from your iPhone, iPad or iPod Touch with man-in-the-middle techniques to intercept and read any and all encrypted SSL traffic silently and without notification to the user.

This patch should be applied immediately if you log in to any service on your device, especially things like your bank or PayPal. Users are particularly vulnerable to this attack if they frequently use public/open WiFi.

Apple released iOS 4.3.5 a view days ago and fixed this bug, so update your iDevice to iOS 4.3.5 using iTunes. Unfortunately the older iDevices such as the iPod / iPod 2 and an iPhone older than the 3GS can not be updated to the latest iOS anymore, so if you use one of these iDevices dont use them for any purpose for which security or privacy is required.

Source [nakedsecurity]