What Is The FREAK Flaw And How Much Should I, Well, Freak Out About It?

There are certain websites that you expect to be secure. The NSA’s and FBI’s sites, for example, or any shopping site you enter your credit card information on. They say HTTPS, and they show a lock, so they’re fine, right? Wrong. A team of researchers this week has announced the finding of a flaw they’re calling FREAK. It interferes with that encryption and makes some sites vulnerable — and it’s everywhere. Not just on laptop and desktop computers, but also on mobile phones and tables. Here’s what you need to know.

What does the FREAK flaw do?
Like other security flaws we’ve heard about this year, the FREAK flaw would let a third party interrupt a secure connection, to intervene in-between your computer and the website you’re sharing data with. Just in a very different way.

The TL;DR version of the technical explanation is: when a vulnerable device connects to a vulnerable HTTPS-protected site (these tend to display a lock or a green icon of some kind in your URL bar), a flaw in the encryption could let an attacker jump in to grab the data going back and forth between the two. And that includes personal information, passwords, and anything else.

The original highly technical explanation, from the researchers who identified the exploit, is here, with another very detailed explanation here.

What platforms are vulnerable or affected?
It’s a depressingly large list. The browsers and platforms known to be vulnerable include:

  • Android: stock browser
  • Android: Chrome
  • Blackberry: stock browser
  • iOS (iPhone/iPad): Safari
  • Linux: Opera
  • Mac OS: Chrome
  • Mac OS: Opera
  • Mac OS: Safari
  • Windows: Internet Explorer

What platforms aren’t affected?
Firefox, on all operating systems (computers and phones), seems to be ok as far as anyone can tell. There is a patch available to fix it for Chrome for Mac users already.

What sites are vulnerable?
That is another depressingly long list, from retail to government and lots of things in between. Some of the highest-traffic domains that are affected include Business Insider, American Express, Groupon, Bloomberg, NPR, Kohls, and MIT. A number of very high-profile government sites were also affected, including the NSA, the FBI, and the White House’s sites, as well as the site (USAJobs) that all applicants for any federal job must use.

Where did it come from, and how long has it been a problem?
The flaw has been out in the wild for over a decade. Basically, we have some questionable choices of the 1990s to thank.

Security, encryption, and data privacy had a slightly different set of priorities attached to them during the Clinton administration than they do now, and back then the feds set up a requirement that any software or hardware that was exported outside of the U.S. had to have weak encryption keys. Many businesses set up dual-track encryption grades, using the good stuff at home and exporting the weak versions. Eventually those restrictions were dropped but somehow the weak versions have ended up still being used on a whole bunch of sites (or, rather, their servers) and on the devices that access them.

That’s where the “FREAK” name comes from: it’s more or less an acronym for “Factoring attack on RSA-EXPORT Keys.”

How did we learn about this issue?
From a team of security researchers, as opposed to from a massive data dump or worldwide hack. A team at the University of Michigan is maintaining an information clearinghouse site on the vulnerability here.

How hard would this be to exploit?
The researchers who announced the findings said, from their proof-of-concept testing, that it takes about 7 hours to break into a site using this vulnerability.

Has anyone used this particular flaw to steal my data?
Honestly? We have no real idea. Man-in-the-middle attacks — where bad guys pop in to a flaw and steal information between source A and destination B — are pretty popular, as these things go, and there’s no way right now to know who has taken advantage of this particular flaw, when, or where.

But the good news is, this particular flaw should be less useful in the future. Patches to fix this particular problem are already out or are expected very soon. So make sure you update your browser or phone OS the next time it asks you to.