Attackers can theoretically use FREAK Attack to intercept what should be a secure HTTPS connection — the one with the lock icon in the address bar — and downgrade the encryption to "export-grade", which is much easier to crack. Safari, both on OS X and iOS, among other browsers, can be susceptible to FREAK Attacks, but Apple is aware of the exploit and moving swiftly to patch it:
"We have a fix in iOS and OS X," an Apple spokesperson told iMore, "that will be available in software updates next week."
FREAK Attack stands for "Factoring attack on RSA-EXPORT Keys". The vulnerability has apparently existed for a decade but was only recently discovered and disclosed by researchers. According to the FREAKAttack.com:
A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204. Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.
Here's what website administrators should do:
If you run a web server, you should disable support for any export suites. However, instead of simply excluding RSA export cipher suites, we encourage administrators to disable support for all known insecure ciphers (e.g., there are export cipher suites protocols other than RSA) and enable forward secrecy.
They also include a list of websites, some of the internet's largest, known to be vulnerable at the time of the reporting.
The weaker, 512-bit encryption, is called "export-grade" due to a U.S. policy, which ended in the 1990s, that once prohibited the export of strong encryption. It highlights the inherent problem with government demands for lower levels of security and "back doors": Security is only ever as strong as its weakest point. The Wachington Post:
The [FREAK Attack] problem illuminates the danger of unintended security consequences at a time when top U.S. officials, frustrated by increasingly strong forms of encryption on smartphones, have called for technology companies to provide "doors" into systems to protect the ability of law enforcement and intelligence agencies to conduct surveillance.
Matthew D. Green, a Johns Hopkins cryptographer who helped investigate the encryption flaw, said any requirement to weaken security adds complexity that hackers can exploit. "You're going to add gasoline onto a fire," said Green. "When we say this is going to make things weaker, we're saying this for a reason."
In other words, doors open. It's what they're designed to do.
We'll let everyone know as soon as the iOS and OS X patches are live.
iOS gaming recap: PlayStation makes big moves into iOS, Streets of Rage 4
Besides some new games, a huge game maker discussed its plans to move into the mobile space, although it's unclear when. Here's what else you missed this week.
GRAMMY-winning music producer lauds his Mac Studio but still wants Mac Pro
GRAMMY-winning music producer Mike Dean, who has worked with the likes of Kanye, Selena Gomez, and Madonna has taken to Instagram to wax lyrical about his M1 Ultra Mac Studio while still lamenting the fact that he can't buy an Apple silicon Mac Pro.
Review: You really ought to check out Catalyst Black for iOS
Catalyst Black is an online multiplayer game that has teams compete against each other to score points and take down opponents. It has both sci-fi and fantasy elements since players can turn into large beasts to do additional damage.
Keep an eye on the front door with the best HomeKit video doorbells
HomeKit video doorbells are a great way to keep an eye on those precious packages at your front door. While there are just a few from which to choose, these are the best HomeKit options available.