Last week’s news brought concerning information about a major flaw called FREAK that impacts the security of web servers and browsers. If you are running a HTTPS website, you need to take action. You also need to protect yourself if you visit websites that use HTTPS.
What Is FREAK
FREAK stands for Factoring Attack on RSA-EXPORT Keys. It is a vulnerability that allows attacks to force servers and clients (such as you using a browser to access a website) to use weak encryption. The flaw is in Secure Sockets Layer and Transport Layer Security, commonly referred to as SSL/TLS technology. Encryption is how communications between your browser and a business’s website are kept secure.
If encryption is weak, the attacker can access confidential information such as passwords or other encrypted data being transmitted. For example, if you use a browser that is insecure, to visit a website that has the flaw on its server, your communications are at risk of interception. Only one side of the communications needs to be protected against this flaw to control it.
What Applications Does It Impact
It is estimated that a third of HTTPS secured sites are at risk. Sites with HTTPS protocol have a vulnerability in how they encrypt transmitted data.
On the browser side, FREAK can impact all Windows versions as well as Apple and Android browsers. Initial reports stated that only Apple and Android operating systems were impacted. A few days later Microsoft announced that it does impact all versions of Windows. Experts say Chrome 41 and Mozilla’s Firefox are secure browsers.
When a Fix Is Expected
Apple states a fix should be available within days. Microsoft issued a security advisory that explains their issue and what options exist today while they fix the problem. Many hosted websites have patched the flaw. More websites still need to correct the problem.
What You Can Do
If you are operating a website using HTTPS, check with your hosting company to ensure that they are taking proactive steps to secure their encryption process. There are a several workaround steps that hosting companies can take.
Monitor the news about your browser and install the patch as soon as it is available. Many attacks are opportunistic and occur when businesses don’t bother to promptly install patches.
There are several sites that allow you to check the likely security of your browser. This site was established by researchers at University of Michigan
Unfortunately, as was stated by many security experts last year after the Heartbleed flaw was announced, there are likely to be more of this type of vulnerability discovered as researchers and cyber criminals look for attack opportunities embedded in older commonly used technology. Rapid installation of patches will continue to be imperative to protect your network.