The ‘FREAK’ encryption bug, which was earlier considered a threat to only certain mobile devices and Apple computers, can actually harm many more browsers and websites, warn experts. A new research by French scientists has shown that major SSL clients including OpenSSL can be compromised with this new vulnerability called the ‘FREAK’ (Factoring Attack on RSA-EXPORT) vulnerability. Indusface, a leading provider of application security solutions for web and mobile applications, has issued a security warning elaborating on the vulnerabilities and potential risks of this bug.
“Vulnerable websites and browsers can allow hackers to enter hundreds and thousands of computers. Attackers use old encryption ciphers and then decrypt messages, passwords and other information,” said the company in a statement issued today.
What this simply means is that when you visit any susceptible website for online shopping, conducting banking transactions or just browsing, hackers could sneak into your computers and access your confidential data.
The FREAK bug impacts the SSL (Secure Socket Layer) and the TLS (Transport Layer Security) cryptographic protocols and allows an attacker to intercept HTTPS connections, using weakened encryption to break into vulnerable devices.
Indusface recommends monitoring of server vulnerability for export keys of RSA and warns against use of weaker ciphers over SSL. The company has also updated its ‘IndusGuard Web’ scanners as well as ‘IndusGuard WAF’ to ensure immediate detection as well as protection against the vulnerability.