Yet another security flaw that has remained hidden for years has come to light. The so-called FREAK flaw was revealed today in a post on the Ars Technica blog. Those interested in the technical details can read the article.
What Is FREAK?
The acronym stands for Factoring attack on RSA-EXPORT Keys. What that means in English is that some browsers on smartphones and Apple Macs running OS/X are vulnerable to an exploit that targets HTTPS-protected websites. These are typically financial sites like banks, brokerages and mortgage companies and other sites that deal with sensitive information like credit card numbers, social security numbers and the like. In short, exactly the kinds of sites you DON’T want to have security problems!
This flaw creates the possibility for a “man in the middle” attack where someone could intercept and decode data being transmitted between your device and an affected site. HTTPS is supposed to prevent exactly that scenario, but it has recently been discovered that an old out of date security rule allows an attacker to downgrade the level of encryption in certain circumstances to a level where it is possible with today’s available computing power to crack the code, so to speak, quickly enough to make it practical to do so.
Am I Affected?
If you use an Android phone or iPhone or an Apple Mac running OS/X you may be affected. This is a serious potential threat and requires caution on the part of all users of the above devices.
You may run a quick test of your favorite browser by going to this website:
I just visited the site using Chrome on Windows and got a green message saying that my browser appears to be safe. Firefox is also shown to be safe according to the Ars Technica article. I suggest checking all browsers on your phone or tablet as well as your computer to be sure which ones are currently safe to use. The browser authors are busily patching their software so one that is not safe today may be safe after an update.
The bottom line is: don’t assume yours is safe because someone else says theirs is. Test it for yourself to be sure. You may be on a different release of the software than someone else, so you can’t go by what they tell you.
As always, be careful out there!
Laptop image courtesy of Stuart Miles on FreeDigitalPhotos.net