Security – FREAK

FREAK is a newly discovered security flaw affecting both the iOS and OS X versions of Safari, as well as other web browsers. This vulnerability enables an attacker to force the browser to use a weakened, 512-bit form of encryption. FREAK is an acronym standing for ‘Factoring RSA-EXPORT
Keys’. This flaw has been around for years and was just exposed by security researchers March 2, 2015. Specifically this vulnerability is with TLS/SSL (i.e. HTTPS) servers and clients.

This flaw left iOS and other devices vulnerable to attack when visiting what were thought to be secure web sites. The flaw actually was caused by a cold war US government policy that forbade export of strong encryption. The export restriction was lifted in the late 1990s, but the browser code was never updated.

Once an attacker breaches the browser, they can then steal passwords and other personal information. Using this man-in-the-middle mode of attack, they can also attack the site being visited by taking over elements on the site’s pages. The researchers estimate that more than 35% of HTTPS sites world wide are vulnerable.

Apple has indicated that a fix for Safari will be available in the next week or so.

UPDATED 4/22/15 – See Security Now episode #498 for a more detailed description of FREAK.

UPDATED 3/10/15 – Apple Security Update 2015-002 1.0 applied patches that close this vulnerability. The vulnerability was resolved by removing support for ephemeral RSA keys.


See my other MAC OS X, iOS and Cyber Security articles


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.