"FREAK" Flaw


Researchers have dubbed a new flaw "FREaK" based on its vulnerability for Factoring an attack on RSA-EXPORT Keys.

What it is

This security flaw which was recently uncovered as the result of a U.S. government policy prior to 1990.  This policy required that weaker encryption (512-bit) should be designed into software to allow for survelliance.  This policy resulted in software being designed and widely used which has proliferated around the world.

What it does

This flaw means that web browsers could be manipulated to use this weaker encryption and then passwords and other personal data could be cracked over the course of a few hours, leaving this data vulnerable.  Another vulnerability is that a hacker could take over elements of a website, such as the Facebook "Like" button. 

It is estimated that more than 1/3 of all websites which are secured by SSL technology have been proven vulnerable to attacks.

What you should know

Not all browsers are vulnerable to this behavior.  Of particular concen are the browsers pre-installed on most Android mobile devices and Apple computers and devices.  Apple is working on a patch which should be in place next week.  Google has completed the patch for Android devices, however because Android is more widely distributed, it is the distribution partners who are responsible to release the patch.  

What do do next

You can browse to https://freakattack.com/ to see if the browser you are using is vulnerable.  Also, if you haven't already made use of a password manager such as LastPass, now is the time!