Researchers have discovered a critical flaw in the backbone of HTTPS-protected traffic, and it is an exploit that has potentially existed for decades. The flaw exists in approximately 36 percent of websites that use HTTPS, and miscreants are able to intercept and modify data passing between a vulnerable browser and a susceptible site. At the moment, OS X and iOS Safari and Chrome are vulnerable to the attack, as are virtually all Android devices ever produced, plus all browsers on Linux.
The flaw, published as CVE-2015-0204, is a factoring attack on RSA-EXPORT. The so-called FREAK attack is possible when a user with a vulnerable browser connects to a HTTPS-secured website with a weak cipher. Attackers who can monitor traffic between vulnerable users can inject packets into the data stream, forcing a 512-bit encryption connection, and garner the website’s private key. Following such a data collection, users can masquerade in a public hotspot as that website, or monitor all traffic through that hotspot to the website.
Johns Hopkins professor Matthew Green said of the attack method that “this bug causes them to accept RSA export-grade keys even when the client didn’t ask for export-grade RSA. The impact of this bug can be quite nasty: it admits a ‘man in the middle’ attack whereby an active attacker can force down the quality of a connection, provided that the client is vulnerable and the server supports export RSA.”
Popular websites that are susceptible to the FREAK attack are bloomberg.com, Americanexpress.com, businessinsider.com, marriott.com, zdnet.com, usajobs.gov, sec.gov, FBI.gov, Whitehouse.gov, themarysue.com, daringfireball.net and many others.
Apple has told Ars Technica that they are patching OS X and iOS in the next week. Firefox for OS X isn’t vulnerable, nor are users on a secure network — the “man in the middle” attack requires packet inspection. TOT recommend that until browsers are patched, if users must connect to a public network, that the latest Firefox build be used which is immune to the attack.
