FREAK Internet Security Flaw: Solution Found? All You Need to Know
Technology companies may have freaked themselves out.
A security glitch from the '90s has made its way to the present -- thriving in secrecy in the span of time unnoticed. As reported by Engadget, cryptographers have dubbed the flaw FREAK, shorthand for "Factoring Attack on RSA-EXPORT Key."
The FREAK attack has affected a slew of websites, both local and international, including those hosted by the U.S. government. According to Softpedia, the official pages of the White House, the Securities and Exchange Commission, the National Security Agency, the Federal Bureau of Investigation and the Senate are among them.
According to security experts, FREAK has also affected programs such as Apple's Safari Browser and Google's Android mobile OS, Computerworld said. The flaw permits intruders to mess with encrypted traffic between servers and clients.
FREAK is specifically noted to be an SSL (Secure Sockets Layer) / TLS (Transport Layer Security) vulnerability. In the most basic sense, compromise sets in when one uses a version of OpenSSL vulnerable to CVE-2015-0204.
The study wrote, "Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites."
As it turns out, the problem rose from an earlier U.S. policy that prohibited export of strong encryption, The Washington Post reported. Instead, weaker "export-grade" products had been mandated for international shipping.
According to the outlet, such restrictions had been lifted in the '90s, but the weaker encryption nevertheless grew popular. At this point, it is known that cracked browsers, forced to utilize the weaker encryption, allows intruders to steal personal data -- quite the core objective of most hacking activities.
Princeton University professor Ed Felten wrote in a blog post, "When it became legal to export strong crypto, the export mode feature was not removed from the protocol because some software still depended on it. Export mode is still an option today."
The public's biggest concern is most certainly the solution to the issue. As told by The Telegraph, stronger encryptions (1024-bit) are "many, many, many multiples harder" to crack than its 512-bit counterparts.
The outlet is convinced that quick patches, such as those from Google and Apple, should be able to do a fix.
The research team has also advised users to disable support for any export suites. It is encouraged that disabling be done in all known insecure ciphers and "enable forward secrecy." For a starter, click this link to check whether a particular website supports RSA export suites.
In the meantime, Apple and Google are said to be working on their respective patches, Engadget informed.
FREAK is discovered by Karthikeyan Bhargavan of France's INRIA and Microsoft Research, Computerworld noted.