Attackers can theoretically use FREAK Attack to intercept what should be a secure HTTPS connection — the one with the lock icon in the address bar — and downgrade the encryption to "export-grade", which is much easier to crack. Safari, both on OS X and iOS, among other browsers, can be susceptible to FREAK Attacks, but Apple is aware of the exploit and moving swiftly to patch it:
"We have a fix in iOS and OS X," an Apple spokesperson told iMore, "that will be available in software updates next week."
FREAK Attack stands for "Factoring attack on RSA-EXPORT Keys". The vulnerability has apparently existed for a decade but was only recently discovered and disclosed by researchers. According to the FREAKAttack.com:
A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204. Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.
Here's what website administrators should do:
If you run a web server, you should disable support for any export suites. However, instead of simply excluding RSA export cipher suites, we encourage administrators to disable support for all known insecure ciphers (e.g., there are export cipher suites protocols other than RSA) and enable forward secrecy.
They also include a list of websites, some of the internet's largest, known to be vulnerable at the time of the reporting.
The weaker, 512-bit encryption, is called "export-grade" due to a U.S. policy, which ended in the 1990s, that once prohibited the export of strong encryption. It highlights the inherent problem with government demands for lower levels of security and "back doors": Security is only ever as strong as its weakest point. The Wachington Post:
The [FREAK Attack] problem illuminates the danger of unintended security consequences at a time when top U.S. officials, frustrated by increasingly strong forms of encryption on smartphones, have called for technology companies to provide "doors" into systems to protect the ability of law enforcement and intelligence agencies to conduct surveillance.
Matthew D. Green, a Johns Hopkins cryptographer who helped investigate the encryption flaw, said any requirement to weaken security adds complexity that hackers can exploit. "You're going to add gasoline onto a fire," said Green. "When we say this is going to make things weaker, we're saying this for a reason."
In other words, doors open. It's what they're designed to do.
We'll let everyone know as soon as the iOS and OS X patches are live.
We may earn a commission for purchases using our links. Learn more.
Review: Free Your Tea Subscription Box is personalized just for your tastes
The Free Your Tea Subscription Box uses a number of methods to get you your perfect blend of teas each month.
Forrest Gump's $100k in Apple stock is now worth almost $49 billion
Forrest Gump hit theaters this week 26 years ago. If Gump's $100,000 investment in Apple Computer was real it'd now net him a cool $48.6 billion.
U.S. considering TikTok ban, says Pompeo
The U.S. Secretary of State Mike Pompeo says that the government is 'certainly looking into' banning TikTok and other Chinese social media platforms in the U.S.
If you have run an Airbnb, you might need one of these smart locks
These smart locks provide both convenience and security for you and your guests at your Airbnb rental. Make managing things easier by assigning codes and app access with the best smart locks around.
