The latest security scare to hit the technology world has a lot of people freaking out, and not only because it’s called FREAK. FREAK is a security flaw that affects encryption between servers and clients and can compromise information such as credit cards or emails.
FREAK stands for Factoring Attack on RSA-EXPORT Keys. Ok, admittedly not the greatest acronym, but it’s much more than words. Many experts are claiming the vulnerability, affecting thousands of websites and programs, has gone undetected for years.
Essentially, what FREAK does it is tries to capture supposedly encrypted data being sent between clients and servers. It affects two major security protocols including SSL (Secure Sockets Layer) and TLS (Transport Layer Security). A troubling notion is that FREAK almost feeds off of these encrypted websites. Basically, SSL and TLS provide a secure connection between a website and a browser. This makes things like online shopping more secure, as it’s required for vendors who take credit card payments on their website to have an SSL certificate. SSL and TLS are also used heavily when encrypting emails. Of course, we all know about the warning of putting private information into emails.
So, is FREAK affecting you? Maybe. The flaw, according to a recent article by InfoWorld affects, “many popular websites, as well as programs including Apple’s Safari browser and Google’s Android mobile OS…Applications that use a version of OpenSSL prior to 1.0.1k are also vulnerable to the bug”. Both Google and Apple have announced updates to their operating systems in hopes of squashing the bug.
What causes these types of bugs? Well, of course, someone has to put them out there. Something like FREAK isn’t just created out of thin air. In lay terms, somebody wants access to encrypted data, so they find holes in the security framework and attack it. An interesting theory as to how FREAK came about dates back to the early 1990’s.
In the early 90’s the United States imposed strict regulation and prohibition of software makers shipping products with high levels of encryption; this meant that companies sent products with weak encryption which was relied upon for years, and may still be today. This leads to a hay day for cyber criminals.
What is happening now is that attackers are downgrading encryption from strong to weak using a brute force method, and are getting easier access to encryption keys. Back then, a 512-bit encryption key was considered highly secure. Today, it’s fairly cheap and easy to get the computer power to obtain those keys. While SSL/TSL do have built in security measures against these types of attacks, it is reported they can be worked around.
If you use SSL/TSL or OpenSSL (as many Apple and Google devices do) it’s possible your website could be vulnerable. You can learn more about who is vulnerable and what you can do about it at http://freakattack.com.