Wednesday, March 4, 2015

FREAK SSL Vulnerability Identified


Yesterday, news broke of a new Secure Sockets Layer, or SSL, vulnerability that both Google and Apple have begun working on patches for.

ZDNet described the security problem by saying:
"The FREAK bug disclosed yesterday is the latest in a series of vulnerabilities affecting the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols used to encrypt traffic between an HTTPS website and a browser."
At the root of the problem, it is possible for a hacker to compromise a website that allows their computer to be inserted into what is suppose to be a private communication between your browser and a web server for things like online banking or shopping.  In end, you don't get what you want and the hacker gets your personal information.

ZDNet goes on to say that the National Security Agency, the very same United States government agency spearheading the charge to weaken encryption security, is also vulnerable to this problem.

Here's my favorite part:

"Thousands of sites are vulnerable, including that of the US National Security Agency - the same agency that pushed for weaker export grade encryption, according to Ed Felten, director of Princeton's Center for Information Technology Policy.

"There is an important lesson here about the consequences of crypto policy decisions: the NSA's actions in the '90s to weaken exportable cryptography boomeranged on the agency, undermining the security of its own site twenty years later," Felten wrote on his blog yesterday."
Apple is working on updates for Safari for both iOS and Mac OS X and are expected to be deployed as updates next week.

For more, see the full ZDNet.com article.

Post a Comment