‘FREAK’ flaw undermines security for Apple and Google users, researchers discover by Craig Timberg.
From the post:
Technology companies are scrambling to fix a major security flaw that for more than a decade left users of Apple and Google devices vulnerable to hacking when they visited millions of supposedly secure Web sites, including Whitehouse.gov, NSA.gov and FBI.gov.
The flaw resulted from a former U.S. government policy that forbade the export of strong encryption and required that weaker “export-grade” products be shipped to customers in other countries, say the researchers who discovered the problem. These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year.
Researchers discovered in recent weeks that they could force browsers to use the weaker encryption, then crack it over the course of just a few hours. Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the Web sites themselves by taking over elements on a page, such as a Facebook “Like” button.
The problem illuminates the danger of unintended security consequences at a time when top U.S. officials, frustrated by increasingly strong forms of encryption on smartphones, have called for technology companies to provide “doors” into systems to protect the ability of law enforcement and intelligence agencies to conduct surveillance.
…
The falling back to weaker encryption was a feature, not a bug or flaw when it was introduced into browsers. It enabled browsers to work with non-U.S. sites using weaker encryption as well as U.S. sites using stronger encryption. Had that feature not been in place, browsers would have discriminated against non-U.S. websites and merchants. With the average complaints from the usual suspects.
Now that the fallback capability is included as a matter of default, without design analysis of the capabilities of browser software, the now legacy fallback capability produces encryption that is subject to attack by computing resources that did not exist when the original weaker encryption was mandated.
You can argue that the vulnerability introduced by the weaker encryption is an unintended consequence of earlier government mandates. But that skips over the responsibility of the browser development community for failing to remove a legacy capability that is no longer needed. As well as its failure to perform a security analysis on browser software in light of current computing capabilities.
Unless and until security becomes part of the software development culture, we are condemned as the sinners in the vestibule of Hell to follow whatever security flaw has captured our attention at the moment. Fixing flaws does not make software more secure, it only fixes the bug that was noticed.