Security Flaw Discovered in Some Apple and Google Devices
Thursday, March 5th, 2015 -- 8:17 AM
(Stephanie Mlot, pcmag.com) -Researchers this week disclosed a security flaw that has left some Apple and Google device users vulnerable to attack when visiting supposedly secure websites.The vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Key), dates back more than a decade, and opens those on the Android and Safari browsers to man-in-the-middle hacks when surfing various sites, including government pages.
According to the cryptographers who uncovered the flaw, "Freak" targets deliberately weak export cipher suites, which were introduced "under the pressure of U.S. governments agencies to ensure that the NSA would be able to decrypt all foreign encrypted communication."
Support for most of these algorithms are disabled by default, but there is a loophole, the researchers said. "If a server is willing to negotiate an export ciphersuite, a man-in-the-middle may trick a browser, which normally doesn't allow it, to use a weak export key," their website said. Many U.S. government agencies and other popular sites enable those export ciphersuites on their servers, allowing hackers to impersonate them to vulnerable clients.
Folks using Chrome, Firefox, or Internet Explorer to connect to sites offering strong ciphers are probably not affected, the team said. But anyone running a browser with a buggy TLS library, over an insecure network, connecting to an HTTPS server with export ciphersuites, may be vulnerable.
Feel free to contact us with questions and/or comments.