Apple, Google users at risk from FREAK flaw

Posted on by

A major security flaw has been discovered in the Secure Sockets Layer/Transport Layer Security (SSL/TLS) cryptographic protocols, leaving users of Google and Apple devices open to attack when visiting purportedly secure websites.

Technology companies are now rushing to put out fixes for the FREAK attack, disclosed by researchers today.

The vulnerability in the SSL/TLS secure communications protocols allows attackers to intercept HTTPS connections between vulnerable clients and servers - which researchers revealed included web browsers on Android and Apple smartphones.

Attackers could then force the site to downgrade to weak, so-called "export-grade" cryptography, which could be easily cracked in order to decrypt web traffic, in turn allowing attackers to steal passwords and other sensitive information.

The flaw has been around since the late 1990s, stemming from a former US government policy which had banned the export of strong encryption.

The policy - which was ditched in 1999 - meant weaker "export-grade" products were shipped to customers outside of the US.

However, the weaker keys continued to be used by software companies after the policy was canned, going unnoticed until it was discovered this year by thegroup of cryptographers at INRIA, Microsoft Research and IMDEA.

The "FREAK name stands for 'factoring attack on RSA-EXPORT keys'. The keys used in the export-grade encryption had a length of 512 bits - which is considered incredibly weak in the current age thanks to rapid increases in computing power - allowing attackers to easily guess the key.

"This bug causes them to accept RSA export-grade keys even when the client didn't ask for export-grade RSA," cryptographer Matthew Green wrote in ablog post.

"The impact of this bug can be quite nasty: it admits a 'man in the middle' attack whereby an active attacker can force down the quality of a connection, provided that the client is vulnerable and the server supports export RSA."

See the original post:
Apple, Google users at risk from FREAK flaw

Related Posts
This entry was posted in $1$s. Bookmark the permalink.