SoylentNews is people
SoylentNews
BREAKING NEWS
ArsTechnica is reporting that a new / old attack vector haunts mobile phones due to a 20 year old export regulation.
Security experts have discovered a potentially catastrophic flaw that for more than a decade has made it possible for attackers to decrypt HTTPS-protected traffic passing between Android or Apple devices and hundreds of thousands or millions of websites, including AmericanExpress.com, Bloomberg.com, NSA.gov, and FBI.gov.
The problem is caused by another encryption down-grade request that most phones honor. Web sites capable of using the weaker standards can can be tricked into downgrading the encryption protocol, and the phones will dutifully follow.
In recent days, a scan of more than 14 million websites that support the secure sockets layer or transport layer security protocols found that more than 36 percent of them were vulnerable to the decryption attacks. The exploit takes about seven hours to carry out and costs as little as $100 per site. The so-called FREAK attack—short for Factoring attack on RSA-EXPORT Keys—is possible when an end user with a vulnerable device—currently known to include Android smartphones, iPhones, and Macs running Apple's OS X operating system—connects to a vulnerable HTTPS-protected website. Vulnerable sites are those configured to use a weak cipher that many had presumed had been retired long ago. At the time this post was being prepared, most Windows and Linux end-user devices were not believed to be affected.
At the time of this posting, the security flaw has only been known for several hours. I recommend everyone read the ARS article, which explains it better than I can.
You will see many more stories on this in coming days. It wasn't the only vulnerability released today.
Edit: Added a link to the the National Vulnerability Database post per request. ~mrcoolbp
(Score: 4, Interesting) by c0lo on Wednesday March 04 2015, @06:16AM
Can you please stick to using car analogies?
Because this one... maybe I didn't get it quite right, but: China can issue a fake certificate that will be trusted by your browser, but the guy at your favourite Free-WiFi coffee-shop (if it's starbucks, shame on you) can't.
But what that guy can do is to fuzz your connection, force the site you are visiting to drop to a 512 key, crack it and use it afterwards to decrypt the traffic of any device that accepts a fallback on the same key (eavesdropping and possibly intercepting more juicy info, MiTM, let your imagination run wild, it's a pants-down you wouldn't expect).
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Wednesday March 04 2015, @07:55AM
That was a horrible car analogy. Maybe you forgot to preface it with "While you're sitting in your car getting free WiFi from your favorite free-WiFi coffee shop ..."