On March 3, security researchers noted that an age-old SSL bug—in existence for more than 10 years—allows hackers under the right conditions to exploit a man-in-the-middle attack and gain access to potentially sensitive information.
FREAK (Factoring RSA-EXPORT Keys) SSL relies on outdated ‘export grade’ cryptography settings, which are still contained within some web server code today. According to Mikah Sargent of NewsyTech, approximately 12% of the world’s top 1 million websites are vulnerable to this flaw.
Initially, the bug was determined to affect secure web browsing via iOS, Android and OS X devices, but later in the week, Microsoft issued a security advisory confirming Windows users could also be affected.
In the 1990s, United States policy required that external communications avoid too strong a level of encryption. “Export” grade 512-bit cryptography—meaning more easily breakable than the 1024-bit US crypto—became a standard for external communication.
At the time, 512-bit cryptography was considered much more secure than it is today. In modern times, a hacker can potentially break a single 512-bit key in under a day. In fact, Johns Hopkins University cryptographer Matthew D. Green estimates this could be done in 7.5 hours, renting online CPU resources for about 100 USD.
What this means
The chances of being affected by this bug remain relatively slim. In order for a hacker to utilize FREAK, they would need to:
- Find a vulnerable web server that offers export-level encryption and re-uses the same encryption key for long amount of time
- Break the current encryption key (using CPU resources + time) before it is reset on the server
- Find vulnerable users connecting to the server
With these conditions met, a hacker could potentially execute a man-in-the-middle attack. For example, using unsecured Wi-Fi in a coffee shop, a hacker could intercept and decrypt all traffic between any client and the server, while remaining completely undetectable.
How to protect yourself
You can immediately check if your browser is vulnerable by visiting Tracking the FREAK Attack.
Apple and Google have announced that they will release OS fixes this week. In the meantime, zdnet.com has a detailed article on how to protect you immediately.