Surfing the web on Google and Apple devices might have been quite unsafe for the millions of users who own their products, according to a security flaw recently discovered and dubbed as “FREAK attack”.
So far, concerned authorities did not find evidence that this weakness was exploited by any hackers, driving the companies to find a quick repair. Apparently, an old and abandoned government policy is the one to blame, which hasn’t been updated in more than ten years. At the time, authorities required U.S. software makers to create weaker encryption programs for software sold overseas, concerned about national security.
A team of experts coming from several research organizations have reported their discovery on Tuesday, explaining that this flawed encryption is still accepted in several popular websites and can be used on some Internet browsers. Basically, the weaker security makes it easier to go around the encryption that’s supposed to protect your sensitive information from unwanted and intrusive digital eavesdropping.
Among the vulnerable websites are those of some government agencies, as well as Groupon, American Express, Marriott, and Kohl’s, the researchers said. Zakir Durumeric, a computer scientist from the University of Michigan explained that the flaw exposes Apple web browsers and the browser added to Google’s Android software. Fortunately, Google’s Chrome browser and Mozilla have not been affected.
As soon as the researchers released their finding on Tuesday, both Apple Inc. and Google Inc. stated they have teams working on software updates to fix the FREAK flaw. The name is an acronym standing for Factoring RSA Export Keys. Apple’s fix will start being available next week, whereas Google said it has already provided an update for their device makers and wireless carriers.
Matthew Green, a computer security researcher working with the Johns Hopkins University says that commercial website operators have also taken correction measures, as they have been notified in private about their flaw in the past few weeks.
But some experts saw the opportunity and spoke against any kind of government policies that would require weakening of the encryption code. The danger of possibly providing easy access to hackers is not worth it, even if the policies are trying to fight threats or crimes against national security.
Edward Felten, a professor of computer science and public affairs at Princeton, is among the voices speaking against restrictions on exporting encryption code. He said that such policies will always find a way to come back and bite us, so the government should take caution before issuing the measures.
Image Source: Gizmodo