The buzz among Apple fans today is the news about the FREAK vulnerability.
The FREAK vulnerability is a jiggled up acronym for “Factoring Attack on RSA-EXPORT Keys”. The vulnerability stems is due to the configuration of some web servers and some web browsers to allow use of weak encryption, and thereby allowing the bad guys to eavesdrop on supposed secure communication. In the earlier days of the web, US regulations prohibited export of strong encryption technologies. This meant that international visitors to websites had to fall back to using of certificates with lesser inscription (this behaviour was automatic and built into web browsers). Those days are long gone and strong encryption is now possible everywhere. Unfortunately some web servers and some web browsers still allow this use of weaker encryption.
A couple of big names are involved:
- Apple’s Safari web browser is vulnerable. Apparently an update will be forthcoming very soon.
- The stock Android web browser is vulnerable. Given that Android updates are pushed out to end-users at discretion of ISPs, the vulnerability will likely remain unpatched in most cases. It should be noted the the Chrome browser is not vulnerable.
- The list of known vulnerable web server include a couple of interesting names like the National Security Agency (NSA). A group of researched proved the point yesterday by hacking the NSA website.
If you are hosting a website on an Anno server, then you rest assured that our servers are not vulnerable to FREAK. No freak is going to eavesdrop on your secured communication or that of your website visitors. But do update your iPhone, iPad or Mac when the update is released!