‘FREAK’ OpenSSL vulnerability: What Apple Mac, iPhone and iPad users need to know

“Security researchers have discovered a crippling OpenSSL bug in Apple and Google devices, as well as many high profile websites, which could allow “man in the middle” attacks,” Derek Erwin writes for Intego. “hese attacks can occur when Apple users are on public Wi-Fi networks, where they can be fooled into connecting to rogue servers claiming to belong to someone else.”

“The ‘FREAK’ vulnerability (CVE-2015-0204), short for Factoring attack on RSA-EXPORT Keys, makes it possible for attackers to decrypt and monitor HTTPS-protected traffic,” Erwin writes. “A FREAK attack is possible when someone with a vulnerable device — Mac OS X computers, iOS and Android devices — connects to an HTTPS-protected website configured to use an easily breakable key once thought to be dead. It requires that the attacker be in a position where they can intercept packets between the endpoint device and the HTTPS-protected website.”

The full article explains how to tell if a website is vulnerable, how to tell if your browser is vulnerable, and what can you do to stay protected until Apple delivers the fix. Read it here.

Related article:
‘FREAK’ flaw undermines security for hundreds of thousands of supposedly secure Web sites, including Whitehouse.gov, NSA.gov and FBI.gov – March 3, 2015


  1. “These attacks can occur when Apple users are on public Wi-Fi networks..”

    This is why I never use “free WiFi” anywhere. If it’s not mine, my families/friends, etc… I don’t use it.

  2. Most iPhone users will be able to update iOS to patch this bug.

    But I don’t see much discussion on the impact on Android. This surely is a major issue as most Android users can’t update due to the complexity of Android distribution.

    1. Goog has been pushing people to Chrome on Android for quite some time. They’ll just update through the Play Store or snag it in one of the bigger Play Services app updates.

      1. Yeah, but Then This Happened:

        Google Chrome suffers brain freeze on Android Ice Cream Sandwich
        Ad giant to old OS users: Move on already!

        Google says Chrome 42 will be the last version for phones, tabs and other things running Android 4.0 to 4.0.4, aka Ice Cream Sandwich (ICS).

        People using ICS will just get security updates for Chrome after version 42 is released. Users running Android 4.1, aka Jelly Bean, and later will continue to get major new versions of the browser.

        Hopefully ‘security updates’ will encompass messes like FREAK.

  3. Newer News:

    Apple Inc, Google Inc develop fixes for ‘Freak’ security bug that allows attackers to spy on browsers

    Apple spokesman Ryan James said the computer had developed a software update to remediate the vulnerability, which would be pushed out next week.


    Google spokeswoman Liz Markman said the company had also developed a patch, which it has provided to partners. She declined to say when users could expect to receive those upgrades.

    Google typically does not directly push out Android software updates. Instead they are handled by device makers and mobile carriers.

    Yeah, we know what that means: Fragmandroid hell.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.