“Technology companies are scrambling to fix a major security flaw that for more than a decade left users of Apple and Google devices vulnerable to hacking when they visited hundreds of thousands of supposedly secure Web sites, including Whitehouse.gov, NSA.gov and FBI.gov,” Craig Timberg reports for The Washington Post. “The flaw resulted from a former U.S. government policy that once forbid the export of strong encryption and required that weaker ‘export-grade’ products be shipped to customers in other countries, say the researchers who discovered the problem. These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely-used software that proliferated around the world and back into the United States, apparently unnoticed until this year.”
“Researchers discovered in recent weeks that they could force browsers to use the old export-grade encryption then crack it over the course of just a few hours. Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the Web sites themselves by taking over elements on a page, such as a Facebook ‘Like’ button,” Timberg reports. “The problem illuminates the danger of unintended security consequences at a time when top U.S. officials, frustrated by increasingly strong forms of encryption on smartphones, have spoken of requiring technology companies to build ‘[back] doors’ into systems to protect the ability of law enforcement and intelligence agencies to conduct surveillance.”
“In recent days, FBI.gov and Whitehouse.gov have been fixed, though NSA.gov remains vulnerable, said Green. Apple is preparing a security patch that will be in place next week for both its computers and its mobile devices, said company spokeswoman Trudy Miller,” Timberg reports. “Google declined to comment for this story. It typically has more trouble delivering security updates because the company does not sell or manufacture most devices using the Android operating system.”
Read more in the full article here.
MacDailyNews Take: This is ironic on so many levels.
So, why were the weaker encryption products forced by the U.S. back in the 1990s? Hmmm…
Life is a tragedy when seen in close-up, but a comedy in long-shot. – Charlie Chaplin
[Thanks to MacDailyNews Readers “Fred Mertz” and “Dan K.” for the heads up.]
Related hypocrisy:
Obama criticizes China’s demands for U.S. tech firms to hand over encryption keys, install backdoors – March 3, 2015
Obama administration demands master encryption keys from firms in order to conduct electronic surveillance against Internet users – July 24, 2013
To answer MDN’s question about why weak encryption products made it back to the U.S… It’s probably because so many products that we are dependent on were outsourced to be manufactured overseas. Now if the final manufacturing involving addition of the ‘secure’ encryption components occurred on US soil then we would possibly have fewer problems now. Another possibility was that for smaller manufacturers that intend to sell their product both domestically and overseas it was a matter of producing 2 models or go for the economies of scale by producing only 1.
Actually, MDN’s question was why the US Government forced the weaker encryption in the first place. During the 1980s, there was this thing called the Cold War. Folks like Ronald Reagan thought that perhaps exporting software that could be adapted to provide the Soviet Union with secure battlefield communications was a bad idea. When the Cold War was “over,” the restrictions were dropped because they no longer seemed to be needed.
We are all much more enlightened now and know that secure communications for everyone are an absolute human right (MDN says so). It’s so much more fun to let people bomb us with no chance of an advance warning, just like it’s more fun to trade child porn when the authorities can’t possibly intercept your communications or search your encrypted phone and computer. Perhaps those who seek security over privacy will have neither, but those who don’t defend their society against common enemies won’t survive to have either.
You don’t make sense. Backdoors let everyone in, including your enemies. The only options are data-security for all, or data-security for none. It is impossible to make your enemies vulnerable without making your own people vulnerable.
Undermining encryption technology will NOT make anyone safer.
Read this for more: https://www.schneier.com/blog/archives/2015/03/the_democratiza_1.html
And, now, they going to regulate the ISPs…
To quote Matthew Green from his source article:
Encryption backdoors will always turn around and bite you in the ass. They are never worth it.
As soon as Apple releases their fix, they need to point to Google and announce that they had been warned and didn’t fix Android in a proper amount of time.
Good times. reminds me of the good old 1990s and the Clipper chip and all the debate around key strength and the 40-bit DES standard.
Another fine debacle that was.
“… What the government did next was shocking and has security experts scratching their heads.”
I was learning about web encryption years ago, and it surprised me when I noticed nearly all servers and browsers supported encryption practices that had been proven ineffective. There were much better encryption options available – really secure encryption has been a “solved problem” for a long time. Solid and reliable encryption software is used in many industries. But all web browsers and servers were, for reasons unknown to me, still built to support the easy-to-break kinds of encryption.
I figured, at the time, that it was Microsoft’s fault. Their Internet Explorer and IIS were some the most influential browser and web server programs for a significant parts of the web’s history, and lagged behind everyone else in security practices. So if Microsoft was too lazy or incompetent to use good encryption in these programs, and the rest of the web had to support their crappy encryption anyway, or lose interoperability. It was just yet another example of Microsoft’s crappy software lowering the bar for everyone in the digital world.
It wasn’t until the Snowden leaks that I had to update this view. The piss quality of web encryption could not blamed on Microsoft alone. Apparently, the US government has just been sabotaging encryption across of the entire web for decades, as outrageous, ridiculous, and outright stupid as that might sound. Evidently, the government has been influencing standards groups, open source projects, and private corporations, to ensure effective methods of encryption never get widespread use on the web. That’s apparently the real answer the question I had years earlier: why the whole web was seemed to be using bullshit encryption when real encryption was an option.
Original headline: “FREAK” flaw undermines security for Apple and Google users, researchers discover.
MDN Headline ‘FREAK’ flaw undermines security for hundreds of thousands of supposedly secure Web sites, including Whitehouse.gov, NSA.gov and FBI.gov
Yes, MDN, revising history to suit their purposes, certainly can’t say that they aren’t patriotic.
Those who would give up essential truth, to purchase a little temporary glory, deserve neither truth nor glory.