Tuesday, March 03, 2015

“FREAK” Flaw Undermines Security For Apple and Google Users

The Washington Post describes “FREAK” flaw undermines security for Apple and Google users, researchers discover.

I think the article should be reasonably clear to a layperson. When a client (e.g., a browser) and a server (e.g., a web site) first communicate they need to negotiate over what encryption systems they support. It turns out many sites still allow old (and now weak) encryption algorithms. This is particularly bad since in the 90s the US government limited what algorithms could be exported out of the country so when the article refers to "export grade" think "weak enough the NSA in the 90s could hack it". Well now that means weak enough that someone with a few machines can break it in a couple of hours.

So companies are fixing their sites and their browsers. The article mentions a key difference in iOS vs Android. Apple will just ship a free update soon that fixes the problem for every still supported iPhone. For Android owners it isn't so smooth. Google can ship a fix but Android owners have to get it from their phone manufacturer who don't have a great incentive to ship free updates.

Update: Rich Salz provides some details, Akamai Addresses CVE 2015-0204 Vulnerability.

No comments: