What is FREAK (security breach)?

FREAK, (Factory RSA Export Keys) is a security vulnerability that has existed for several years but has only been realized for now.

On March 3, 2015, it was announced through a security bulletin that the technology currently (existing since 1990) is currently weak; found on Apple devices initially and showing how data can be intercepted in any wi-fi hotspot.

This flaw arose from a law imposed in the United States, which prohibited the export of technological content to other countries with strong encryption; even though the law was canceled, the manufacturers left it there for "compatibility".

It is the third biggest security flaw in recent times after several consecutive flaws called Heartbleed and Shellshock, which shocked the world on the highly trusted SSL platform.

In fact, 15 years ago, this type of encryption keys were once considered weak, but because of a North American law at the time, it was forbidden to export technological content using strong encryption technology to other countries, so the "simple" cipher , has only 512 bits.

After the law was canceled, the manufacturers only enabled strong ciphers, but left the low ciphers technology there due to the dependence on software needed at the time, to keep it compatible.

One of the big problems is that both browsers and servers offer support and if both are supported and negotiate the connection with the weak key, the data can be intercepted and broken easily, as the negotiated encryption key is small, and easy to be broken by today's computers.

Both Google, Apple and Microsoft have released updates for their browsers to refuse 512-bit keys, while maintaining the use of higher keys.

Reference sources:

No comments