"FREAK" flaw utilizes forgotten export-grade encryption, more than a third of secure sites affected

By Shawn Knight
Mar 3, 2015
Post New Reply
  1. freak apple google android https safari vulnerability flaw it security freak flaw

    Security researchers have disclosed a devastating flaw dubbed “FREAK” that allows for man-in-the-middle attacks on encrypted traffic of millions of websites that were otherwise thought to be secure.

    In the 1990s, the US government attempted to regulate the export of products utilizing “strong” encryption. Instead, such devices were loaded with weaker “export-grade” encryption before being shipped out of the country.

    Export-grade encryption was only allowed a maximum key length of 512 bits which, at the time, was deemed strong enough for commercial use while still proving weak enough for the government to circumvent.

    Servers in the US still needed to be able to interact with exported devices so they were outfitted to support both strong and export-grade crypto. SSL designers created a “cipher suite” that identified and used the highest possible encryption that a connecting device supported.

    The US government eventually lifted this policy in the late ‘90s, companies began shipping strong encryption devices out of the country and the issue seemingly solved itself. The only problem is that “export mode” was never removed and has silently lived on as a zombie for the past 15 years or more.

    An attacker aware of this can trick a website that still has export mode lingering around into letting it connect with an export cipher. The attacker then gains access to the weak RSA key and can set about cracking it.

    Cracking a 512-bit key back in the ‘90s would have required access to some pretty serious computing hardware but today, it can be done via Amazon Web services in a matter of hours for around $100.

    Of the more than 14 million websites that use SSL or TLS protocols, more than a third were found to be vulnerable to the attack including major banking sites, news organizations and government websites. Vulnerable devices are said to include pretty much every Android device in addition to iPhones and Macs.

    Apple said it plans to issue a patch for iOS and OS X next week while a Google spokesperson said they’ve already issued a patch to hardware partners. It’ll be up to those partners to distribute the patch to its end users.

    The website will determine if your device is vulnerable.

    Permalink to story.

    Last edited by a moderator: Mar 5, 2015
  2. Evernessince

    Evernessince TS Evangelist Posts: 1,104   +532

    This article is very sparse on details. It doesn't even state where the flaw occurs.

    For those who want to know, this is another SSL exploit.

    I don't know who's in charge of managing the SSL protocol (a google search didn't come up with anything) but at this point they might as well start from scratch. Just how many backdoors are they going to put in there that completely subverts the point of security in the first place?

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...