“Security researchers have discovered a crippling OpenSSL bug in Apple and Google devices, as well as many high profile websites, which could allow “man in the middle” attacks,” Derek Erwin writes for Intego. “hese attacks can occur when Apple users are on public Wi-Fi networks, where they can be fooled into connecting to rogue servers claiming to belong to someone else.”
“The ‘FREAK’ vulnerability (CVE-2015-0204), short for Factoring attack on RSA-EXPORT Keys, makes it possible for attackers to decrypt and monitor HTTPS-protected traffic,” Erwin writes. “A FREAK attack is possible when someone with a vulnerable device — Mac OS X computers, iOS and Android devices — connects to an HTTPS-protected website configured to use an easily breakable key once thought to be dead. It requires that the attacker be in a position where they can intercept packets between the endpoint device and the HTTPS-protected website.”
The full article explains how to tell if a website is vulnerable, how to tell if your browser is vulnerable, and what can you do to stay protected until Apple delivers the fix. Read it here.
Related article:
‘FREAK’ flaw undermines security for hundreds of thousands of supposedly secure Web sites, including Whitehouse.gov, NSA.gov and FBI.gov – March 3, 2015
This really makes me want to use a VPN at all times. The only drawback is battery life.
I’ve gotten used to scoping for electric outlets at my caffeination hangouts. I always bring a USB charger and cable with me as well as my USB extra battery.
Turns out that Safari IS vulnerable to ‘https://freakattack.com’ while Firefox IS NOT.
Chrome 40 on Windows 7 is not vulnerable either. I’ll have to test IE on one of our virtual machines, my assumption is that its wide open =)
“These attacks can occur when Apple users are on public Wi-Fi networks..”
This is why I never use “free WiFi” anywhere. If it’s not mine, my families/friends, etc… I don’t use it.
Most iPhone users will be able to update iOS to patch this bug.
But I don’t see much discussion on the impact on Android. This surely is a major issue as most Android users can’t update due to the complexity of Android distribution.
Goog has been pushing people to Chrome on Android for quite some time. They’ll just update through the Play Store or snag it in one of the bigger Play Services app updates.
Yeah, but Then This Happened:
Google Chrome suffers brain freeze on Android Ice Cream Sandwich
Ad giant to old OS users: Move on already!
Google says Chrome 42 will be the last version for phones, tabs and other things running Android 4.0 to 4.0.4, aka Ice Cream Sandwich (ICS).
People using ICS will just get security updates for Chrome after version 42 is released. Users running Android 4.1, aka Jelly Bean, and later will continue to get major new versions of the browser.
Hopefully ‘security updates’ will encompass messes like FREAK.
I hope no bad guys were freaking in Aruba when I was sitting on the beach.
Has WordPress fixed it’s issues with this problem?
I’m sure NSA has nothing to do with this issue, because they only exist to protect us.
Hint: 84 Mac Guy is being satirical.
Newer News:
Apple Inc, Google Inc develop fixes for ‘Freak’ security bug that allows attackers to spy on browsers
Apple spokesman Ryan James said the computer had developed a software update to remediate the vulnerability, which would be pushed out next week.
HURRAY
Google spokeswoman Liz Markman said the company had also developed a patch, which it has provided to partners. She declined to say when users could expect to receive those upgrades.
Google typically does not directly push out Android software updates. Instead they are handled by device makers and mobile carriers.
Yeah, we know what that means: Fragmandroid hell.