FREAK Attack

The blogoshphere is ablaze again today with the disclosure of yet another security vulnerability in Mac OSX and iOS. To be fair this attack can also affect nearly any browser currently being used. It involves the SSL/TLS system that allows secure connections using https:// and dates back to when US Export law only allowed 512-bit encryption systems or less to be exported outside the US. That law was lifted in the late 1990’s and nearly all secure connections nowadays use 1024-bit encryption. However, most browsers kept the capability to use the less secure encryption system if the server they were connecting with requested it. The security attack dubbed FREAK uses a way to fool the browser to use the less secure 512-bit encryption system. The significance is that 512-bit encryption can be broken with as little as $100 of rentable computing power.

A patch from Apple for both Mac OSX and iOS is being prepared and should be available next week.

To read more definitive discussions of the topic follow these links:

Leave a Reply