Attackers can theoretically use FREAK Attack to intercept what should be a secure HTTPS connection — the one with the lock icon in the address bar — and downgrade the encryption to "export-grade", which is much easier to crack. Safari, both on OS X and iOS, among other browsers, can be susceptible to FREAK Attacks, but Apple is aware of the exploit and moving swiftly to patch it:
"We have a fix in iOS and OS X," an Apple spokesperson told iMore, "that will be available in software updates next week."
FREAK Attack stands for "Factoring attack on RSA-EXPORT Keys". The vulnerability has apparently existed for a decade but was only recently discovered and disclosed by researchers. According to the FREAKAttack.com:
A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204. Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.
Here's what website administrators should do:
If you run a web server, you should disable support for any export suites. However, instead of simply excluding RSA export cipher suites, we encourage administrators to disable support for all known insecure ciphers (e.g., there are export cipher suites protocols other than RSA) and enable forward secrecy.
They also include a list of websites, some of the internet's largest, known to be vulnerable at the time of the reporting.
The weaker, 512-bit encryption, is called "export-grade" due to a U.S. policy, which ended in the 1990s, that once prohibited the export of strong encryption. It highlights the inherent problem with government demands for lower levels of security and "back doors": Security is only ever as strong as its weakest point. The Wachington Post:
The [FREAK Attack] problem illuminates the danger of unintended security consequences at a time when top U.S. officials, frustrated by increasingly strong forms of encryption on smartphones, have called for technology companies to provide "doors" into systems to protect the ability of law enforcement and intelligence agencies to conduct surveillance.Matthew D. Green, a Johns Hopkins cryptographer who helped investigate the encryption flaw, said any requirement to weaken security adds complexity that hackers can exploit. "You're going to add gasoline onto a fire," said Green. "When we say this is going to make things weaker, we're saying this for a reason."
In other words, doors open. It's what they're designed to do.
We'll let everyone know as soon as the iOS and OS X patches are live.
