Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

“FREAK” flaw undermines security for Apple and Google users, researchers discover
The Washington Post ^ | March 3 at 12:42 PM | By Craig Timberg

Posted on 03/03/2015 1:22:01 PM PST by Swordmaker

Technology companies are scrambling to fix a major security flaw that for more than a decade left users of Apple and Google devices vulnerable to hacking when they visited millions of supposedly secure Web sites, including Whitehouse.gov, NSA.gov and FBI.gov.

The flaw resulted from a former U.S. government policy that once forbid the export of strong encryption and required that weaker “export-grade” products be shipped to customers in other countries, say the researchers who discovered the problem. These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year.

Researchers discovered in recent weeks that they could force browsers to use the old export-grade encryption then crack it over the course of just a few hours. Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the Web sites themselves by taking over elements on a page, such as a Facebook “Like” button.

(Excerpt) Read more at washingtonpost.com ...


TOPICS: Business/Economy; Computers/Internet; Conspiracy
KEYWORDS: apple; appledevices; computersecurity; google; googledevices

1 posted on 03/03/2015 1:22:01 PM PST by Swordmaker
[ Post Reply | Private Reply | View Replies]

To: ~Kim4VRWC's~; 1234; Abundy; Action-America; acoulterfan; AFreeBird; Airwinger; Aliska; altair; ...
The Secure Web Page isn't as secure as you think. . . and it applies to all platforms! Something the government regulations has again screwed up! — PING!


Apple AND Windows AND Linux
SECURITY Ping!

If you want on or off the Mac Ping List, Freepmail me.

2 posted on 03/03/2015 1:25:11 PM PST by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users contnue...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Don’t worry too much about this little security flaw, they are still going to leave the Back Door for the NSA, CIA, FBI, ...in their software so you can be watched over.


3 posted on 03/03/2015 1:41:43 PM PST by eyeamok
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

From a more technical site:

“Threat Model

“All the attacks on this page assume a network adversary (i.e. a man-in-the-middle) to tamper with TLS handshake messages. The typical scenario to mount such attacks is by tampering with the Domain Name System (which is known to be done by ISPs and governments for Internet censorship and domain name seizing).”

So if you actually are going to the site you think you are going to, then you are secure. You could do this by relying on local DNS for all important sites.


4 posted on 03/03/2015 1:54:35 PM PST by proxy_user
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Does that explain why Appls’s iOS 8.2—which was supposed to come out on March 2, 2015—got delayed?


5 posted on 03/03/2015 2:02:03 PM PST by RayChuang88 (FairTax: America's economic cure)
[ Post Reply | Private Reply | To 1 | View Replies]

To: RayChuang88

Apple never says when an update is supposed to come out, so I don’t know how you would ever figure out that it’s “delayed” ... :-) ...


6 posted on 03/03/2015 2:09:00 PM PST by Star Traveler (Remember to keep the Messiah of Israel in the One-World Government that we look forward to coming)
[ Post Reply | Private Reply | To 5 | View Replies]

To: RayChuang88
Does that explain why Appls’s iOS 8.2—which was supposed to come out on March 2, 2015—got delayed?

It's very possible. Apple would have gotten news of this earlier than the public announcement.

7 posted on 03/03/2015 2:15:17 PM PST by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users contnue...)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Swordmaker

What about Windows 8.1 phones?


8 posted on 03/03/2015 3:12:26 PM PST by Excellence (Marine mom since April 11, 2014)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Excellence; Swordmaker
> What about Windows 8.1 phones?

I would assume it's possible until someone in authority and position to know definitively, says no.

I'm about to find some authoritative articles and do some learning... I have a lot of different machines and I need to know which are secure now.

9 posted on 03/03/2015 3:22:39 PM PST by dayglored (Listen, strange women lying in ponds distributing swords is...sounding pretty good about now.)
[ Post Reply | Private Reply | To 8 | View Replies]

To: dayglored; Excellence; Swordmaker
Looks to me like it's limited to Google/Android devices, Apple iOS devices, and Safari on OS X.

Firefox on OS X appears okay, as do Firefox and IE on Win7.

I don't have Google Chrome or Safari on Windows so I don't know about those.

10 posted on 03/03/2015 3:45:07 PM PST by dayglored (Listen, strange women lying in ponds distributing swords is...sounding pretty good about now.)
[ Post Reply | Private Reply | To 9 | View Replies]

To: dayglored
Looks to me like it's limited to Google/Android devices, Apple iOS devices, and Safari on OS X.

Firefox on OS X appears okay, as do Firefox and IE on Win7.

Not quite, or for just mobile hand held devices. The problem is in the way the websites can force any browser to use the encryption of choice on the website. . . and downgrade it. The reason it may be more dangerous to mobile devices is because it requires a "man-in-the-middle" interception attack to be utilized and they are more likely to be in a position to be exposed to such an attack such as in a coffee shop, hotel, airport, etc. . . but so are laptops from any platform.

This would allow hackers to conduct what experts call a “man-in-the-middle” attack to make seemingly encrypted traffic easy to read. Such attacks can be launched by anybody who has access to Internet traffic, including governments, employers, Internet providers and coffee shops or airports that offer wifi hotspots.

Apple's Safari in both mobile iOS and desktop OS X versions will notify users if the "secure" website does not have a proper certificate. . . or does not have the correct URL, i.e. is a Man-in-the-middle exploit, so I cannot see this would work with Safari either. . . unless the user told Safari to go ahead and connect, despite the warning. Yes, the browser probably would devolve down to the lower grade encryption, but would it recognize the secure HTTPS website as being authentic, which is required FIRST for the man-in-the-middle attack to work.

The alternative is for the secure, authentic website to be deliberately malicious in the first place and untrustworthy, designed to hack into the device. . . and that would work. THAT does need to be fixed so the browsers will never step down. However, I notice that the 512 bit key of this antique system still requires around seven hours to break. . . and that means the user would have to remain connected to the malicious website for more than seven hours for the hacker to gain access and get any information. How many of us stay on any website except perhaps FreeRepublic for more then seven hours at a time?

11 posted on 03/03/2015 4:45:59 PM PST by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users contnue...)
[ Post Reply | Private Reply | To 10 | View Replies]

To: Swordmaker
The alternative is for the secure, authentic website to be deliberately malicious in the first place and untrustworthy, designed to hack into the device. . . and that would work. THAT does need to be fixed so the browsers will never step down. However, I notice that the 512 bit key of this antique system still requires around seven hours to break. . . and that means the user would have to remain connected to the malicious website for more than seven hours for the hacker to gain access and get any information. How many of us stay on any website except perhaps FreeRepublic for more then seven hours at a time?
Problem is, I follow links from FR to the source web pages of articles. And then often am not fastidious about closing tabs. Would this danger occur if I’m not in a putatively secure web page?

12 posted on 03/03/2015 5:11:17 PM PST by conservatism_IS_compassion ('Liberalism' is a conspiracy against the public by wire-service journalism.)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Swordmaker
> However, I notice that the 512 bit key of this antique system still requires around seven hours to break. . . and that means the user would have to remain connected to the malicious website for more than seven hours for the hacker to gain access and get any information. How many of us stay on any website except perhaps FreeRepublic for more then seven hours at a time?

LOL. Maybe not on my mobiles, although the iPad gets left at home where it may stay connected for days at a time. My home desktops are not uncommonly on for days at a time, browsers up.

But oh, my desktops at work? Work is on 24x7x365 with multiple browser windows each with multiple tabs loaded. Of course, that's work stuff, not FR, but you get my drift.

13 posted on 03/03/2015 6:01:10 PM PST by dayglored (Listen, strange women lying in ponds distributing swords is...sounding pretty good about now.)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Swordmaker
However, I notice that the 512 bit key of this antique system still requires around seven hours to break. . . and that means the user would have to remain connected to the malicious website for more than seven hours for the hacker to gain access and get any information. How many of us stay on any website except perhaps FreeRepublic for more then seven hours at a time?

If they capture the packets, they can crack the key and replay the session at their leisure.

14 posted on 03/03/2015 8:13:15 PM PST by zeugma (The act of observing disturbs the observed.)
[ Post Reply | Private Reply | To 11 | View Replies]

To: zeugma; dayglored
If they capture the packets, they can crack the key and replay the session at their leisure.

That will only help them get what you were doing at the time.. . not break into your device.

15 posted on 03/03/2015 8:48:49 PM PST by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users contnue...)
[ Post Reply | Private Reply | To 14 | View Replies]

To: Swordmaker
That will only help them get what you were doing at the time.. . not break into your device.

Yup. And if the session happened to have been you logging into your bank ...

16 posted on 03/04/2015 6:05:32 AM PST by zeugma (The act of observing disturbs the observed.)
[ Post Reply | Private Reply | To 15 | View Replies]

To: zeugma
Yup. And if the session happened to have been you logging into your bank ...

Do you log into your bank while on a public WIFI?

17 posted on 03/04/2015 11:23:30 AM PST by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users contnue...)
[ Post Reply | Private Reply | To 16 | View Replies]

To: Swordmaker
Do you log into your bank while on a public WIFI?

LOL. Good point!  I'm quite sure a lot of people do, who don't realize how utterly dangerous public wifi can be. It's absolutely trivial to subvert a public wifi network to act as a mitm attack.

18 posted on 03/04/2015 12:26:31 PM PST by zeugma (The act of observing disturbs the observed.)
[ Post Reply | Private Reply | To 17 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson