Stories
Slash Boxes
Comments

SoylentNews is people

BREAKING: 20 Year old Encryption Regulations Enable FREAK attack

posted by martyb on Wednesday March 04 2015, @03:52AM   Printer-friendly
from the irregulation dept.

frojack writes:

BREAKING NEWS

ArsTechnica is reporting that a new / old attack vector haunts mobile phones due to a 20 year old export regulation.

Security experts have discovered a potentially catastrophic flaw that for more than a decade has made it possible for attackers to decrypt HTTPS-protected traffic passing between Android or Apple devices and hundreds of thousands or millions of websites, including AmericanExpress.com, Bloomberg.com, NSA.gov, and FBI.gov.

The problem is caused by another encryption down-grade request that most phones honor. Web sites capable of using the weaker standards can can be tricked into downgrading the encryption protocol, and the phones will dutifully follow.

In recent days, a scan of more than 14 million websites that support the secure sockets layer or transport layer security protocols found that more than 36 percent of them were vulnerable to the decryption attacks. The exploit takes about seven hours to carry out and costs as little as $100 per site. The so-called FREAK attack—short for Factoring attack on RSA-EXPORT Keys—is possible when an end user with a vulnerable device—currently known to include Android smartphones, iPhones, and Macs running Apple's OS X operating system—connects to a vulnerable HTTPS-protected website. Vulnerable sites are those configured to use a weak cipher that many had presumed had been retired long ago. At the time this post was being prepared, most Windows and Linux end-user devices were not believed to be affected.

At the time of this posting, the security flaw has only been known for several hours. I recommend everyone read the ARS article, which explains it better than I can.

You will see many more stories on this in coming days. It wasn't the only vulnerability released today.

Edit: Added a link to the the National Vulnerability Database post per request. ~mrcoolbp

 
This discussion has been archived. No new comments can be posted.
BREAKING: 20 Year old Encryption Regulations Enable FREAK attack | Log In/Create an Account | Top | 45 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by kaszz on Wednesday March 04 2015, @06:09AM

    by kaszz (4211) on Wednesday March 04 2015, @06:09AM (#152909) Journal

    This has all the evidence trail of that organization with big ears in the west. Upgrade time..

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by stormwyrm on Wednesday March 04 2015, @08:16AM

    by stormwyrm (717) on Wednesday March 04 2015, @08:16AM (#152932) Journal

    This one really is the NSA's fault. During the era of the so-called Crypto Wars [wikipedia.org] the NSA insisted that the SSL protocol be weakened for export. This attack exploits the remnants of that effort to selectively weaken the protocol.

    --
    Numquam ponenda est pluralitas sine necessitate.