Another SSL security flaw has been detected by cryptographers from IMDEA, a European Union research group; INRIA, a French research company; and Microsoft Research. The Washington Post reported earlier today that “They could force browsers to use the old export-grade encryption then crack it over the course of just a few hours. Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the Websites themselves by taking over elements on a page, such as a Facebook ‘Like’ button.”
This all came about because as Matthew Green, a cryptographer and research professor at John Hopkins University put it, the NSA made sure that the early “SSL protocol itself was deliberately designed to be broken.” In the 1990’s they allowed the encryption to become stronger, however the weaker 512 bit encryption never went away, and it has now come back to cause us all more problems.
Sites that are vulnerable to this security flaw (you can verify the site by visiting: https://tools.keycdn.com/freak) can be cracked in about seven hours, using computers on Amazon Web services. This would allow hackers to conduct a “man-in-the-middle” attack to read the encrypted traffic with ease. Site such as whitehouse.gov and fbi.gov have both been patched as of now, however nsa.gov is still showing that is vulnerable to the FREAK (Factoring attack on RSA-EXPORT Keys) security flaw.
Apple has announced they are working on a patch for their mobile and desktop platforms which should be available next week. Google has also developed a patch and distributed it to its partners for distribution. The timing on sending out the updates for Android devices will depend on each of those partners however.
Be sure and update your android, and Apple devices once the patches become available to ensure your systems are secured from this flaw.