FREAK show: Apple and Android SSL WIDE OPEN to snoopers

Security researchers are warning of a flaw in OpenSSL and Apple's SecureTransport a hangover from the days when the US government was twitchy about the spread of cryptography.

It's a flaw that allows an attacker to decrypt your login cookies, and other sensitive information, from your HTTPS connections if you use a vulnerable browser such as Safari.

Apple's SecureTransport is a library used by applications on iOS and OS X, including Safari for iPhones, iPads and Macs. OpenSSL is open source, and used by Android browsers, and many other things.

OpenSSL and SecureTransport encrypt connections to online banking, webmail, and other HTTPS websites, and so much else on the internet, to thwart eavesdroppers.

It turns out the encryption used by OpenSSL and SecureTransport can be crippled by an attacker on your network: apps can be tricked into using weak encryption keys, allowing determined miscreants to pluck login cookies and other sensitive information out of your SSL-protected traffic.

"A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204," according to freakattack.com, a website explaining the security flaw.

"Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites."

You can visit freakattack.com to check if your web browser is vulnerable. Reg readers have told us that Google Chrome for OS X prior to version 41.0.2272.76, BlackBerry OS 10.3, and Internet Explorer 11 in the Windows 10 Technical Preview, are flagged up as vulnerable.

Back in the early 1990s, the US government banned Americans from selling software overseas unless the code used so-called "export cipher suites" that involved encryption keys no longer than 512 bits.

At the time, this was supposed to ensure that Uncle Sam exported relatively weak encryption to the rest of the world, and kept the stronger stuff for itself.

Read more:
FREAK show: Apple and Android SSL WIDE OPEN to snoopers