Q: What exactly is the FREAK security flaw that’s been discovered on smartphones and what do I need to do about it?
A team of security researchers and cryptographers have discovered a security flaw that dates back to the early days of the Internet and exists in many popular browsers.
Users of Safari on Mac and iOS devices, as well as stock browsers on many Android devices, are potentially vulnerable to being exploited when they visit certain secure websites (https://).
It’s being called FREAK or “Factoring Attack on RSA-EXPORT Key” and it’s the remnants of the U.S. government’s restriction on the export of strong encryption back the 1990’s.
This forced developers to devise a system that could deliver strong encryption for U.S.-based users and the weaker encryption for foreign users. It was all in an attempt to allow the government to better monitor the Internet activity of foreign users by not allowing them to use our more powerful encryption.
The requirement was later dropped, but by that time, this dual encryption delivery system had become a standard part of web browsers.
Today, this legacy design still exists in some popular programs, which leaves users of these programs vulnerable to some pretty serious exploitation on sites that they may assume are secure.
We’ve all been told to look for https:// sites to know that the connection between us and the website is secure, but the researchers found a way to exploit this legacy issue. They discovered that they could force browsers to use the older, weaker encryption, then crack it over the course of a couple hours.
Once they broke the encryption, they could steal passwords and personal information and even take over websites themselves to further their attacks.
Researchers have been scanning websites around the Internet to see how many may be using this exploitable hole. They found 10 percent of the top one million most popular secure sites and almost 40 percent of sites that your browser would trust are vulnerable.
The good news, so far, is that they’ve haven’t seen evidence of any exploits in the wild. The bad news is it’s just a matter of time.
If you have a Mac computer, iPhone, iPad or iPod Touch and you still use the Safari browser or you’re using the default browser on many Android devices, you’re the most vulnerable.
Users of current versions of Internet Explorer, Chrome or Firefox are not at risk.
I’ve always recommended the use of either Chrome or Firefox for any computer or mobile device, because I like some of the unique security features built in. If you’re a Mac, iOS or Android user, I’d strongly recommend you switch permanently.
To reduce the confusion on which devices you own that might be at risk, take a minute to visit FreakAttack.com on everything you own.
The website will test your browser and let you know if what you are using is potentially vulnerable. If you’re using an older version of Internet Explorer, Chrome or Firefox, you may need to update it in order to protect yourself.
Apple and Google are reportedly working on fixes, so in the next week or so, you need to make sure and download the updates when they are posted.
If you’re a webmaster, FreakAttack.com has posted recommendations for what you should do to disable the exploit on your webserver.