Security researchers have warned of an HTTPS-crippling vulnerability that has left Apple and Android devices susceptible. Attackers are able to decrypt HTTPS traffic traveling between Apple and Android devices.
A recent scan of more than 14 million websites that support the secure sockets layer or transport layer security protocols showed that more than 36 percent of them were vulnerable to the decryption attacks.
“The exploit takes about seven hours to carry out and costs as little as $100 per site. The so-called FREAK attack—short for Factoring attack on RSA-EXPORT Keys—is possible when an end user with a vulnerable device—currently known to include Android smartphones, iPhones, and Macs running Apple’s OS X operating system—connects to a vulnerable HTTPS-protected website. Vulnerable sites are those configured to use a weak cipher that many had presumed had been retired long ago. At the time this post was being prepared, most Windows and Linux end-user devices were not believed to be affected,” reports Ars Technica.
The man-in-the-middle attackers could monitor traffic passing between vulnerable end users and servers and then inject malicious packets into the flow that will cause the two parties to use a weak 512-bit encryption key while negotiating encrypted Web sessions.
Attackers could then collect some of the data from the exchange and use cloud-based computing from Amazon or other services to factor the website’s underlying private key. This would then allow an attacker in free hotspot or other unsecured network and allow them to fraudulently appear as an authentic website to steal the victims data.
FREAK was discovered by a research team from organizations including INRIA Paris-Rocquencourt and Microsoft.
Apple says it plans to issue patches for iOS and OS X next week. Google says an Android patch has already been distributed to partners.
Matthew Green, an encryption expert at Johns Hopkins University, told Ars Technica that the vulnerable devices included nearly all Android devices, as well as iPhones and Macs.
Ars also learned from two unnamed sources that even BlackBerry OS 10.3.1.2267 is allegedly vulnerable. When visiting the test site https://freakattack.com it reveals the BlackBerry 10 browser is vulnerable.
BlackBerry has issued to us this official statement regarding the matter:
“BlackBerry is comprehensively investigating the “FREAK” vulnerability industry issue and we will take any action necessary to ensure our customers are protected.”
This vulnerability is apparently the result of 1990s politics. The Clinton administration required weak “export keys” to be used in any software or hardware that was exported out of the US.
“This bug causes them to accept RSA export-grade keys even when the client didn’t ask for export-grade RSA,” Green wrote in a blog post detailing the FREAK vulnerability. “The impact of this bug can be quite nasty: it admits a ‘man in the middle’ attack whereby an active attacker can force down the quality of a connection, provided that the client is vulnerable and the server supports export RSA.”
A list of vulnerable websites is here. N4BB is not listed as a vulnerable site, nor could it be. You may have noticed we recently shifted from HTTP to HTTPS. In the interest of our users’ safety, we use HTTP Strict Transport Security (HSTS).
HSTS (RFC 6797) is a header which allows our website to specify and enforce security policy in your web browsers. This policy enforcement protects our secure website from downgrade attacks (like FREAK) and SSL stripping, and helps protect against cookie hijacking. This allows our web server to declare a policy that browsers will only connect using secure HTTPS connections, and ensures end users (you) do not “click through” critical security warnings. HSTS is an important security mechanism for high security sites. HSTS headers are only respected when served over HTTPS connections, not HTTP.
Furthermore, our SSL does not support “export grade” cryptography and we use the non-vulnerable version of OpenSSL. Outdated protocols and ciphers (such as SSLv3, RC4) have been disabled and keep up to date with the latest and most secure ciphers (such as ChaCha-Poly, forward secrecy and elliptic curves).
Your anonymity and security is of top priority when you access or have an account on N4BB or the UMG Mobile store.