Decade year old ‘FREAK’ flaw leaves websites in tatters.

As bugs like Shell shock come into the limelight, it’s becoming a theme that our past is coming back to haunt us. This password authentication ‘FREAK’ threat has left users vulnerable and developers in the dark about this vulnerability for nearly a decade.

This issue began when over 20 years ago when, “a former U.S. government policy forbade the export of strong encryption and required that weaker “export-grade” products be shipped to customers in other countries.” What this means is that 20 years ago when we shipped software, we set a hard cap on the security of this software to denote it as ‘export-grade.’ The result of this meant that any free or open source software that was developed before this ban occurred had these vulnerabilities attached to them. I mention free and open source because developers don’t like to reinvent the wheel so they use open source api’s and software. Therefore, bugs found in this software, were unknown to developers, and proliferated around the world as that software and new software was created.

Now this restriction was removed in the late 90’s but it’s implications have lasted until today. Now it appears that users can force browsers to use the lower encryption allowing hackers to crack codes of 512 bytes rather than 1024. Now this may not seem like a lot but the difference between 512 bytes and 1024 is the difference between one hacker breaking a code using 75 machines in 7 hours, and a team of hackers using over a million machines and one year to break the code, respectively.

Once these passwords were accessed, hackers could implement cross-site-scripting vulnerabilities into webpages. This is when you overwrite the javascript on a page and run whatever you want. These kinds of attacks were very popular to myspace ‘worms’ where once you visited someones page, you instantly became their friend and someone would visit your page and the same thing would occur to them.

An excellent lesson to learn from this vulnerability is that you can’t develop software with an ‘insecure’ and ‘secure’ mode. This will only negatively affect all users. And a list of vulnerable websites can be found here.

-Bryon Wilkins

Timberg, Graig. “‘FREAK’ Flaw Undermines Security for Apple and Google Users, Researchers Discover.” Washington Post. The Washington Post, 3 Mar. 2015. Web. 04 Mar. 2015. <http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/>.

Advertisements