Security researchers are warning of a flaw in OpenSSL and Apple's SecureTransport a hangover from the days when the US government was twitchy about the spread of cryptography. <\/p>\n
It's a flaw that allows an attacker to decrypt your login cookies, and other sensitive information, from your HTTPS connections if you use a vulnerable browser such as Safari. <\/p>\n
Apple's SecureTransport is a library used by applications on iOS and OS X, including Safari for iPhones, iPads and Macs. OpenSSL is open source, and used by Android browsers, and many other things. <\/p>\n
OpenSSL and SecureTransport encrypt connections to online banking, webmail, and other HTTPS websites, and so much else on the internet, to thwart eavesdroppers. <\/p>\n
It turns out the encryption used by OpenSSL and SecureTransport can be crippled by an attacker on your network: apps can be tricked into using weak encryption keys, allowing determined miscreants to pluck login cookies and other sensitive information out of your SSL-protected traffic. <\/p>\n
\"A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204,\" according to freakattack.com, a website explaining the security flaw. <\/p>\n
\"Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.\" <\/p>\n
You can visit freakattack.com to check if your web browser is vulnerable. Reg readers have told us that Google Chrome for OS X prior to version 41.0.2272.76, BlackBerry OS 10.3, and Internet Explorer 11 in the Windows 10 Technical Preview, are flagged up as vulnerable. <\/p>\n
Back in the early 1990s, the US government banned Americans from selling software overseas unless the code used so-called \"export cipher suites\" that involved encryption keys no longer than 512 bits. <\/p>\n
At the time, this was supposed to ensure that Uncle Sam exported relatively weak encryption to the rest of the world, and kept the stronger stuff for itself. <\/p>\n
<\/p>\n