FREAK, which stands for Factoring Attack on RSA-EXPORT Keys, is the new widespread vulnerability that has been found to be affecting millions upon millions of Google Android and Apple Safari users.
FREAK has made the users of these browsers vulnerable to interceptions in their electronic communications while visiting thousands of websites. For many users that trust the SSL "lock" icon that denotes a secure website, this means that the icon is not really as trustworthy as it should be.
Fortunately, launching attacks taking advantage of the FREAK vulnerability is not trivial, and fixes to the software affected are already on their way.
THE FREAK vulnerability was accidentally created by a U.S. tech export encryption policy in the late 1990s, when the government required United States companies to decrease the strength of the encryption keys that they ship abroad to only a 512-bit key length, which is easily crackable in current times. A demand by the government so that the NSA would be able to access foreign communications.
As encryption became stronger, the United States government withdrew the demand for foreigners to implement weaker keys. However, until recently, certain web servers and Internet browsers were still programmed to accept weak encryption, with attacks potentially taking advantage of the flaw by tricking the browsers of users to use the nowadays useless 512-bit keys.
Attackers using the FREAK vulnerability would visit any of the affected websites, make it give up its weak encryption key and then crack it. While in the same network, the hacker can then intercept all communications between a vulnerable Internet browser and the server of the website with all the encryption removed. Attackers can also change the content, which would trick users into sending out information such as log-in details.
Generating the weak 512-bit keys, according to University of Pennsylvania's Nadia Heninger, took only 7.5 hours and $104 on Amazon Web Services machines.
A scan on the top 1 million websites ranked on Alexa revealed that 12.2 percent of them accept the weak encryption. Included in the affected websites are those of huge financial companies such as American Express and media companies such as Bloomberg and Business Insider. A long list of government websites, ironically including nsa.gov and the whitehouse.gov, are also affected.
There are many easier ways for hackers to launch attacks onto users due to the many requirements needed for a FREAK attack. However, according to cryptographer Matthew Green, the most vulnerable software is the Safari browser on all of Apple's devices that utilize OpenSSL on Android, which is most of the devices running Google's operating system.
Apple and Google have both started creating updates to their software to fix the vulnerability.
The lesson learned here, Green noted, is that encryption backdoors are never worth it. The plan that hatched FREAK was launched and scrapped decades ago, but the effects are still hurting consumers today.
Photo: Michael Nugent | Flickr