Security researchers have just discovered an incredibly dangerous security flaw in the Apple Safari and Google Android web browsers that has existed for over a decade, the Washington Post is reporting. The flaw allows for so-called factoring attacks on RSA-EXPORT keys (or FREAK for short) that would allow hackers to intercept and decrypt HTTPS-protected web communications between millions of sites, including AmericanExpress.com and FBI.gov. There is no evidence that hackers are actively exploiting the flaw, setting up a race between security teams at Apple and Google and malicious would-be hackers.
The most frustrating part of this security flaw may be the fact that it is sourced from antiquated government rules forbidding strong cryptography protection. In the 1990s, the Clinton administration required that any software or hardware exported to other countries deliberately weaken their encryption to 512-bit export-grade levels. It was supposed to be strong enough to protect against everyday hackers, but weak enough to allow the NSA to break in. That shortsighted rule has long since been lifted, but vestiges of the 512-bit encryption scheme still live on, hidden inside modern browsers. A man-in-the-middle attacker can request secure traffic to some websites be downgraded to weak export-grade levels, making it far easier for hackers to steal login credentials, intercept online banking transactions and more.
Both Apple and Google are hard at work on a fix for this security issue, due next week or sooner. In the meantime, you’ll want to exercise caution when accessing websites on your mobile device. Don’t use your phone or computer’s default browser to access sensitive content, like an online banking account. For that, use the Firefox browser for PC, Mac, iOS or Android – it appears to be protected against FREAK attacks.
To learn more about the FREAK vulnerability and to test whether the browser you’re currently using is vulnerable, visit the site freakattack.com.
[Lock security concept via Shutterstock]