“FREAK” Security Flaw Discovered Lurking In Many Computers For Decades, Apple Promises Fix Next Week

[Victorious Secret]

 

 

This is almost admirable that you can go so old school in your exploiting to compromise modern devices. Its nice that Apple is offering up a fix "next week" (haven't read what google plans on doing about this). 

Its a two pronged problem. Devices that are sold today that can be exploited but also web servers out there running such old hardware and software that you need to do a little more than push out a update to plug the holes with some of these exploits. 

 

 

Dubbed “FREAK” by the researchers who discovered it, the exploit allowed researchers (and potentially hackers) to sniff traffic going to and from many otherwise encrypted websites — including some government sites — thanks to some stuff left behind from the 90s.

 

• Up until 1999 or so, the US government forbade companies from shipping any products overseas that contained strong encryption. “Export-grade” (that is, weak and breakable) encryption was okay, though.
• In the 90s, this encryption was more than enough to evade anyone who didn’t have access to a supercomputer. Nowadays, as Ed Felten points out, that’s anyone who knows their way around Amazon’s EC2.
• These restrictions were lifted around 1999 — but somehow these weaker “export-grade” encryption modes were left in “many Google and Apple” devices (and other devices that use unpatched OpenSSL), unused and mostly forgotten… until now
• With a cleverly executed man-in-the-middle attack, researchers were able to force a victim’s connection to use this now quite-crackable weaker encryption cipher.
• Once the connection is on that weaker cipher, any “encrypted” communication the attacker can sniff out — passwords, messages, etc. — can be decrypted in a matter of hours.

The short version: hackers force a victim’s connection to use long-forgotten encryption ciphers left behind in popular products (Android, Apple’s Safari) instead of today’s stronger stuff, then decrypt the data.

 

 

http://techcrunch.com/2015/03/03/freak-security-flaw-discovered-lurking-in-many-computers-for-decades-apple-promises-fix-next-week/

[Opcode]

No matter what you do the internet will never be "safe".

[TwistedDictator]

Anyway its an ecryption bug which they can fix asap.

 

Freak flaw suggest about 9.5% of the web's top one million websites are susceptible to such attacks.

 

 

Also

Initially the flaw was thought only to affect some users of Android and Blackberry phones and Apple's Safari web browser.

 

Google has updated its version of Chrome for the Mac to remove its susceptibility to Freak. It has yet to say what action it is taking with Android.

 

[Misanthrope]

No matter what you do the internet will never be "safe".

 

That doesn't mean that some things aren't harder to get through than others though: My house is most certainly not impenetrable but that doesn't means I'd go "No house will ever be safe" and just leave the door wide open for anyone to steal my shit.