Apple AND Windows AND Linux
SECURITY Ping!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 03/03/2015 1:22:01 PM PST by Swordmaker
Technology companies are scrambling to fix a major security flaw that for more than a decade left users of Apple and Google devices vulnerable to hacking when they visited millions of supposedly secure Web sites, including Whitehouse.gov, NSA.gov and FBI.gov.
The flaw resulted from a former U.S. government policy that once forbid the export of strong encryption and required that weaker “export-grade” products be shipped to customers in other countries, say the researchers who discovered the problem. These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year.
Researchers discovered in recent weeks that they could force browsers to use the old export-grade encryption then crack it over the course of just a few hours. Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the Web sites themselves by taking over elements on a page, such as a Facebook “Like” button.
(Excerpt) Read more at washingtonpost.com ...
If you want on or off the Mac Ping List, Freepmail me.
Don’t worry too much about this little security flaw, they are still going to leave the Back Door for the NSA, CIA, FBI, ...in their software so you can be watched over.
From a more technical site:
“Threat Model
“All the attacks on this page assume a network adversary (i.e. a man-in-the-middle) to tamper with TLS handshake messages. The typical scenario to mount such attacks is by tampering with the Domain Name System (which is known to be done by ISPs and governments for Internet censorship and domain name seizing).”
So if you actually are going to the site you think you are going to, then you are secure. You could do this by relying on local DNS for all important sites.
Does that explain why Appls’s iOS 8.2—which was supposed to come out on March 2, 2015—got delayed?
Apple never says when an update is supposed to come out, so I don’t know how you would ever figure out that it’s “delayed” ... :-) ...
It's very possible. Apple would have gotten news of this earlier than the public announcement.
What about Windows 8.1 phones?
I would assume it's possible until someone in authority and position to know definitively, says no.
I'm about to find some authoritative articles and do some learning... I have a lot of different machines and I need to know which are secure now.
Firefox on OS X appears okay, as do Firefox and IE on Win7.
I don't have Google Chrome or Safari on Windows so I don't know about those.
Not quite, or for just mobile hand held devices. The problem is in the way the websites can force any browser to use the encryption of choice on the website. . . and downgrade it. The reason it may be more dangerous to mobile devices is because it requires a "man-in-the-middle" interception attack to be utilized and they are more likely to be in a position to be exposed to such an attack such as in a coffee shop, hotel, airport, etc. . . but so are laptops from any platform.
This would allow hackers to conduct what experts call a “man-in-the-middle” attack to make seemingly encrypted traffic easy to read. Such attacks can be launched by anybody who has access to Internet traffic, including governments, employers, Internet providers and coffee shops or airports that offer wifi hotspots.
Apple's Safari in both mobile iOS and desktop OS X versions will notify users if the "secure" website does not have a proper certificate. . . or does not have the correct URL, i.e. is a Man-in-the-middle exploit, so I cannot see this would work with Safari either. . . unless the user told Safari to go ahead and connect, despite the warning. Yes, the browser probably would devolve down to the lower grade encryption, but would it recognize the secure HTTPS website as being authentic, which is required FIRST for the man-in-the-middle attack to work.
The alternative is for the secure, authentic website to be deliberately malicious in the first place and untrustworthy, designed to hack into the device. . . and that would work. THAT does need to be fixed so the browsers will never step down. However, I notice that the 512 bit key of this antique system still requires around seven hours to break. . . and that means the user would have to remain connected to the malicious website for more than seven hours for the hacker to gain access and get any information. How many of us stay on any website except perhaps FreeRepublic for more then seven hours at a time?
Problem is, I follow links from FR to the source web pages of articles. And then often am not fastidious about closing tabs. Would this danger occur if I’m not in a putatively secure web page?
LOL. Maybe not on my mobiles, although the iPad gets left at home where it may stay connected for days at a time. My home desktops are not uncommonly on for days at a time, browsers up.
But oh, my desktops at work? Work is on 24x7x365 with multiple browser windows each with multiple tabs loaded. Of course, that's work stuff, not FR, but you get my drift.
If they capture the packets, they can crack the key and replay the session at their leisure.
That will only help them get what you were doing at the time.. . not break into your device.
Yup. And if the session happened to have been you logging into your bank ...
Do you log into your bank while on a public WIFI?
LOL. Good point! I'm quite sure a lot of people do, who don't realize how utterly dangerous public wifi can be. It's absolutely trivial to subvert a public wifi network to act as a mitm attack.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.