We need your help now
Support from readers like you keeps The Journal open.
You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.
If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.
Sign in. It’s quick, free and it’s up to you.
An account is an optional way to support the work we do. Find out more.
By continuing, you are indicating that you accept our Terms of Service and Privacy Policy.
MILLIONS OF APPLE and Google customers are at risk of having their confidential details stolen by hackers thanks to a newly-discovered “FREAK” vulnerability, the Washington Post reports.
The security flaw affects Android and iOS users who use the default Chrome or Safari browsers. Both companies are now rushing to bring out a fix.
So what is “FREAK”?
It stands for Factoring attacks on RSA-EXPORT Keys. To understand what that it is, you need to know about the history of cryptography.
Back in the 1990s, there was a debate over the use of cryptography to secure websites. Researchers and developers argued it was essential to protect people’s confidential details, while the authorities argued it threw up dangerous barriers to law enforcement.
Ultimately, a limit of 512-bit was placed on the strength of encryption in software that could be exported from America.
Encryption
This meant authorities could, if need be, intercept communications of products that has this encryption strength. These limits were later relaxed and encryption became considerably stronger. But the early restrictions had a nasty effect.
“The weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year,” The Washington Post explains.
This means that many websites and browsers are still programmed to provide 512-bit keys for security when requested, even though they can be cracked in a matter of hours.
As a result, a hacker could go to an affected website, obtain its weak key, crack it, then be able to impersonate that website and intercept traffic to the site on the same network as them.
It’s what’s often called a “man in the middle” attack. On your home WiFi you’re probably safe, but you could be targeted whenever you log on to a public network, like a a coffee shop, or a hotel, or an airport.
Websites
The list of websites affected is extremely extensive.
Banks like American Express and Santander are vulnerable, along with other major websites like Groupon, hotel chain Marriott, and shopping site J-Crew.
At one point, the websites of the White House, the NSA, and the FBI were all affected, according to the Washington Post, although they’ve since implemented fixes.
According to one site dedicated to tracking FREAK, 9.7% of the Alexa Top 1 Million websites are affected (down from 12.2% as people begin to patch the issue).
What this means in real terms is that when you’re shopping online, or checking your bank statement, or logging onto one of your favourite sites, hackers may be harvesting your sensitive personal information.
There’s no confirmed uses of FREAK to harvest personal data — but the vulnerability has existed for decades, so it’s not unthinkable to suggest it may have been used.
And the reason FREAK exists isn’t because of shoddy coding by a developer — it’s because the government wanted a “backdoor” into encryption products when necessary.
As debate over the use of encryption begins to flare up once again, researchers are already pointing to FREAK as evidence developers shouldn’t weaken their encryption products at the request of law enforcement.
“Encryption backdoors will always turn around and bite you in the ass,” writes Matthew Green. “They are never worth it.”
To embed this post, copy the code below on your site
aaaaaaAAHHH FREAK OUT!
Ingredients:
1 X lunchbox,
1 X raspberry pi,
2 X wireless dongles,
1 X Battery pack,
+ some easily found know-how
=
some bank details on a cafe/bar/etc network
do NOT trust publicly available wifi.
Laptop or any computer would do fine too, doesn’t sound as nerdy and techy though
It would have to be a big lunchbox and wouldn’t be so discrete would it?
There are other reasons, like being able to run an rpi for days off a decent battery, being able to hide it a lot easier, not having tour digital fingerprint all over it, being a total cost of about €80.
Turns out, being nerdy can be practical too.
What’s in the lunchbox, not jam sandwiches I hope. My childhood nightmare.
Never liked them either. It was all about the peanut butter or just ham….
https://freakattack.com/ will tell you if the browser on your device is affected. If so you should not enter passwords or personal data on that device browser until it’s fixed…
Woe woe woe, is that just not telling us that the browser you visit that site on is vulnerable?
@chief yes, but the list of sites is so long that I’d rather not use an affected browser full stop
This doesn’t scare me.
Should I not use my safari until it’s fixed then? It’s all Greek to me!
The best advice is to travel back in time ten years and not use any browser until the fix comes out.
I’m freaking out here
have your say