Why You Should Stop Using Your Default Browser!
What exactly is the FREAK security flaw that’s been discovered on smartphones and what do I need to do about it?
This question was answered on March 5, 2015. Much of the information contained herein may have changed since posting.
A team of security researchers and cryptographers have discovered a security flaw that dates back to the early days of the Internet that exists in many popular browsers.
Users of Safari on Mac and iOS devices as well as stock browsers on many Android devices are potentially vulnerable to being exploited when they visit certain secure websites (https://).
It’s being called ‘FREAK’ or "Factoring attack on RSA-EXPORT Key" and it’s the remnants of the US government’s restriction on the export of strong encryption back the 90’s.
This forced developers to devise a system that could deliver strong encryption for US based users and the weaker encryption for foreign users.
This was all in an attempt to allow the government to better monitor the Internet activity of foreign users by not allowing them to use our more powerful encryption.
The requirement was later dropped, but by that time this dual encryption delivery system just become a standard part of web browsers.
Today, this legacy design still exists in some popular programs, which leaves users of these programs vulnerable to some pretty serious exploitation on sites that they may assume are secure.
We’ve all been told to look for https:// sites to know that the connection between us and the website is secure, but the researchers found a way to exploit this legacy issue.
They discovered that they could force browsers to use the older weaker encryption, then crack it over the course of a couple hours.
Once they broke the encryption, they could steal password and personal information and even take over websites themselves to further their attacks.
The researchers have been scanning websites around the Internet to see how many may be using this exploitable hole. They found that @10% of the top 1 million most popular secure sites and almost 40% of sites that your browser would trust to be vulnerable.
The good news so far is that they’ve haven’t seen evidence of any exploits in the wild; the bad news is it’s just a matter of time.
If you have a Mac computer, iPhone, iPad or iPod Touch and you still use the Safari browser or you’re using the default browser on many Android devices, you’re the most vulnerable.
Users of current versions of Internet Explorer, Chrome or Firefox are not at risk.
I’ve always recommended the use of either Chrome or Firefox for any computer or mobile device, because I like some of the unique security features built-in, so if you’re a Mac, iOS or Android user, I’d strongly recommend that you switch permanently.
To reduce the confusion on which devices you own that might be at risk, take a minute to visit https://freakattack.com on everything you own.
The website will test your browser and let you know if what you are using is potentially vulnerable. If you’re using an older version of Internet Explorer, Chrome or Firefox, you may need to update it in order to protect yourself.
Apple and Google are reportedly working on fixes, so in the next week or so, you need to make sure and download the updates when they are posted.
If you’re a webmaster, the https://freakattack.com site has posted recommendations for what you should do to disable the exploit on your webserver.
Need Help with this Issue?
We help people with technology! It's what we do.
Schedule an Appointment with a location for help!
Posted by Ken of Data Doctors on March 5, 2015