FREAK out? Security researchers warn of new vulnerabilities in Apple's OpenSSL and SecureTransport that allow an attacker to decrypt cookies your login credentials and other sensitive information from HTTPS connections if you use a vulnerable browser such as Safari.
Apple's SecureTransport is a library used by iOS and OS X applications, such as Safari for iPhone, iPad, and Mac. The OpenSSL protocol is open source, and is used by Android browsers, and many more.
With the OpenSSL and SecureTransport protocols, the encryption on connections to banks, webmail, and other HTTPS websites.
"The connection is vulnerable if the server accepts RSA_EXPORT encryption and the client either offers an RSA_EXPORT suite or uses a version of OpenSSL that is vulnerable to vulnerability CVE-2015-0204,” according to freakattack.com, a website that explains the security flaw.
"Delicate customers they have many Google and Apple devices that use unpatched OpenSSL, a large number of embedded systems, and many other software products that use TLS.”
You can see if your browser is vulnerable to freakattack.com.
How did this happen?
In the early 1990s, the government of the US banned the sale of software abroad unless the code used by so-called "encryption export suites" that contained encryption keys is no longer 512 bits.
At that time, in order to ensure Uncle Sam, only relatively weak encryption was exported to the rest of the world, and he held the strongest for himself.
However, the limitations on cryptos exports no longer apply, but some implementations of TLS and SSL protocols continue to support these 1990 technology for the export of encryption code.
This last defect, which we report today and was named FREAK (Factoring RSA Export Keys), can be exploited during the creation of a secure connection when encryption has not yet started.
Vulnerable clients (such as a web browser, smartphone or internet-of-things) start talking on a server (like the machine behind an HTTPS webpage), and listing the encryption algorithms and key lengths supported.
An intruder can monitor traffic between the client and the server and can intervene by saying that the client only receives encryption-encryption keys, such as telling one of the old 512-bit RSA keys.
Because of the flaw in OpenSSL and SecureTransport, the server responds with a weak key, the client accepts it and the encryption process begins.
Hopefully they will release patches immediately.
