“The precise effects of the problem are not discussed in the
reports. It would, however, appear to be possible to manipulate
HTML content from websites during data transfer and, for example,
inject malicious code.“The crux of the problem is, rather than a flawed
implementation, a design flaw in the TLS protocol when
renegotiating parameters for an existing TLS connection. This
occurs when, for example, a client wants to access a secure area on
a web server which requires the requesting client certificates.
When the server establishes that is the case, it begins a
renegotiation to obtain the appropriate client certificate. The
original request gets replayed during this renegotiation as if it
had been authenticated by the client certificate, but it has not.
The discoverer of the problem describes this as an “authentication
gap”.”