FREAK vulnerability affects Apple and Android browsers SSL2015-03-04 10:30 by Daniela
Tags: FREAK, Apple, Android, SSL
A recently found security flaw that has been undetected for years may seriously harm security across the Internet. The roots of the problem are hidden in a misguided U.S. government effort to prevent consumers from having access to strong encryption. Back in the 1990s, the U.S. government wanted to build weaker encryption into products that the country was exporting. Now, it turns out that this weak encryption is still in use and threatens the security of millions of Internet users worldwide.
The security flaw, called FREAK (short for Factoring Attack on RSA-EXPORT Keys vulnerability or CVE-2015-0204), is a flaw in SSL/TLS, the technology which is supposed to secure your communications across the net. It affects even U.S. government-managed websites, such as Whitehouse.gov, NSA.gov and FBI.gov.
The bug allows an attacker to decrypt your login cookies, and other sensitive information, from your HTTPS connections if you use a vulnerable browser. Thousands of websites are vulnerable to attacks. Safari and the default Android browser — but not Chrome — are also affected.
"A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204," according to freakattack.com, a website explaining the security flaw.
"Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites."
Apple will release a fix for iOS and OS X through software updates next week. Google recommends website owners to disable support for the export certificates. The company has also "developed a patch to protect Android's connection to sites that do expose export certs and that patch has been provided to partners."
Read more -here-