It should be noted that a new Internet vulnerability is affecting popular SSL
clients across the web. Eerily named FREAK, this flaw allows malicious parties
and attackers to force servers to automatically downgrade to weakened ciphers.
Once this is done, the attackers can easily crack all encrypted communications
of these weakened servers through advanced Man-In-The-Middle (MITM) attacks. If
all that sounds a bit complicated, this blog post aims to simplify it for you
and give you the lowdown on how the FREAK attack affects you.
How did this attack originate?
The origins of this attack lie in
the complex and murky world of United States diplomacy and international
relations in the 1980’s. A Federal policy at that time forbade the export of
software products with strong encryption. As a result, weaker export-grade products
were then shipped to other countries. While this policy was lifted in the
1990’s, this ‘weaker encryption’ somehow became embedded in various software
applications of the time and was never actively rectified until many years
later.
While some developers eventually
shifted to stronger encryption over time, this flaw remained inherent in many
applications. Attackers gradually discovered ways to force servers to switch to
this weaker encryption so that they could successfully intercept their data with
MITM attacks.
Why this attack is called ‘FREAK’?
The terminology of FREAK has been
coined to represent “Factoring Attack on RSA-EXPORT Keys”.
What can attackers really do via
FREAK?
This attack enables malicious
parties to intercept web browsers and crack them over a few hours. This would
enable the attackers to steal confidential passwords and other sensitive data.
This could lead to several other privacy and security issues in turn. It can
also enable attackers to take control over specific elements on webpages.
Right now the FREAK vulnerability
primarily affects Android and Apple Safari web browsers. The Google Chrome
browser installed on Android phones is not vulnerable. However, the in-built
web browser is vulnerable to this attack. Searches carried out on the in-built
Google search engine site are also not vulnerable.
Google has reported that it has
extended solutions to its partners i.e. the manufacturers of Android devices.
But it ultimately lies in the hands of these OEMs to implement the solution in
order to protect their users. Apple is in the process of finding and
implementing a solution for this purpose and intends to release the fix within
a week.
How can I learn more about FREAK?
A good source for finding out which
sites are affected and for further reading on the topic can be found on freakattack.com.
Some popular sites that are affected by this vulnerability are as follows:
- Business Insider
- American Express
- Jabong
- Airtel
- Tiny URL
- Zomato
- National Geographic
- Axis Bank
- Gaana
- ZDNet
These and many other popular
websites are vulnerable to FREAK. If you regularly visit and use these websites
you need to be very careful. Researchers have also claimed that 36.7% of
browser trusted sites are vulnerable. This effectively means that 1 in 3 sites
that you visit could be at risk.
FREAK comes along at a time when
authorities all over the world are already struggling with the moral issue of
gaining access into people’s personal devices and accounts for law enforcement
purposes. They are also dealing with strong encryption technology implemented
by device makers and their disagreement to grant these ‘open doors’ into devices.
No comments:
Post a Comment