FREAK is a newly discovered security flaw affecting both the iOS and OS X versions of Safari, as well as other web browsers. This vulnerability enables an attacker to force the browser to use a weakened, 512-bit form of encryption. FREAK is an acronym standing for ‘Factoring RSA-EXPORT
Keys’. This flaw has been around for years and was just exposed by security researchers March 2, 2015. Specifically this vulnerability is with TLS/SSL (i.e. HTTPS) servers and clients.
This flaw left iOS and other devices vulnerable to attack when visiting what were thought to be secure web sites. The flaw actually was caused by a cold war US government policy that forbade export of strong encryption. The export restriction was lifted in the late 1990s, but the browser code was never updated.
Once an attacker breaches the browser, they can then steal passwords and other personal information. Using this man-in-the-middle mode of attack, they can also attack the site being visited by taking over elements on the site’s pages. The researchers estimate that more than 35% of HTTPS sites world wide are vulnerable.
Apple has indicated that a fix for Safari will be available in the next week or so.
UPDATED 4/22/15 – See Security Now episode #498 for a more detailed description of FREAK.
UPDATED 3/10/15 – Apple Security Update 2015-002 1.0 applied patches that close this vulnerability. The vulnerability was resolved by removing support for ephemeral RSA keys.