Researchers this week disclosed a security flaw that has left some Apple and Google device users vulnerable to attack when visiting supposedly secure websites.
The vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Key), dates back more than a decade, and opens those on the Android and Safari browsers to man-in-the-middle hacks when surfing various sites, including government pages.
According to the cryptographers who uncovered the flaw, “Freak” targets deliberately weak export cipher suites, which were introduced “under the pressure of U.S. governments agencies to ensure that the NSA would be able to decrypt all foreign encrypted communication.”
Support for most of these algorithms are disabled by default, but there is a loophole, the researchers said.
“If a server is willing to negotiate an export ciphersuite, a man-in-the-middle may trick a browser (which normally doesn’t allow it) to use a weak export key,” their website said.
Many U.S. government agencies (NSA, FBI) and other popular sites (IBM, Symantec) enable those export ciphersuites on their servers, allowing hackers to impersonate them to vulnerable clients.
Folks using Chrome, Firefox, or Internet Explorer to connect to sites offering strong ciphers are probably not affected, the team said. But anyone running a browser with a buggy TLS library, over an insecure network, connecting to an HTTPS server with export ciphersuites, may be vulnerable.
Check out an abridged list of insecure sites—including American Express, Bloomberg, National Geographic, Cornell University, and the Ohio government, among others; the full lineup of domains is also available online.
Web administrators can use the SSL Labs’ server test to check their site’s risk level. If vulnerable, they should disable support for all known insecure ciphers and enable forward secrecy.
An Apple spokesman told PCMag that an iOS and OS X fix will be pushed out next week.
Google, meanwhile, has developed a patch that it will provide to parnters. But a company spokeswoman told PCMag that “connections to most websites … are not subject to this vulnerability.”
Still, the search giant encourages all websites to disable support for export certificates.