gbhackers.com July 10, 2025 - A newly discovered man-in-the-middle exploit dubbed “Opossum” has demonstrated the unsettling ability to compromise secure communications.

Researchers warn that Opossum targets a wide range of widely used application protocols—including HTTP, FTP, POP3, SMTP, LMTP and NNTP—that support both “implicit” TLS on dedicated ports and “opportunistic” TLS via upgrade mechanisms.

By exploiting subtle implementation differences between these two modes, an attacker can provoke a desynchronization between client and server, ultimately subverting the integrity guarantees of TLS and manipulating the data seen by the client.

The Opossum attack is built upon vulnerabilities first highlighted in the ALPACA attack, which identified weaknesses in TLS authentication when application protocols allow switching between encrypted and plaintext channels.
Even with ALPACA countermeasures in place, Opossum finds fresh leverage points at the application layer. When a client connects to a server’s implicit TLS port—such as HTTPS on port 443—the attacker intercepts and redirects the request to the server’s opportunistic-TLS endpoint on port 80.

By posing as the client, the attacker initiates a plaintext session that is then upgraded to TLS with crafted “Upgrade” headers.

Simultaneously, the attacker relays the original client’s handshake to the server, mapping the two TLS sessions behind the scenes.