.jpg)
Security Researchers team have discovered that a potentially catastrophic flaw that for more than a decade has made it possible for attackers to decrypt HTTPS-protected traffic passing between Android or Apple devices and hundreds of thousands or millions of websites, including AmericanExpress.com, Bloomberg.com, NSA.gov, and FBI.gov.The flaw resulted from a former U.S. government policy that forbade the export of strong encryption and required that weaker “export-grade” products be shipped to customers in other countries, say the researchers who discovered the problem.
These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year.
More than 14 million websites that support the secure sockets layer or transport layer security protocols found that more than 36 percent of them were vulnerable to the decryption attacks. The exploit takes about seven hours to carry out and costs as little as $100 per site.
They are dubbed it "Factoring attack on RSA-EXPORT Key" or FREAK, and it renders everyone who uses Safari on Mac and iOS devices or Android's stock browser susceptible to hacking when they visit certain "secure" websites.
The US government required companies to use weaker, 512-bit encryption for visitors from overseas, and stronger encryption for visitors stateside.
In order to do that, SSL's developers designed a mechanism that could deliver both. While the government eventually pulled the requirement, it was too late: this mechanism propagated and ended up being used on various software.
That's why during the research, the team managed to force browsers to use the weaker encryption, which one member was able to break within seven hours using the power of 75 computers. In comparison, a 1024-bit encryption would require a team of crackers, the power of a few million PCs, and around a year to hack into.
Apple announced that a fix will be available as of next week, while Google stated that their update for device makers and wireless carriers has already been released. Despite this head start, Android devices may take longer to be secured from the vulnerability due to the wide range of manufacturers and carriers.
