{"id":37966,"date":"2015-03-03T21:13:55","date_gmt":"2015-03-04T05:13:55","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=37966"},"modified":"2017-01-06T15:45:05","modified_gmt":"2017-01-06T23:45:05","slug":"freak-openssl-bug-what-apple-users-need-to-know","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/freak-openssl-bug-what-apple-users-need-to-know\/","title":{"rendered":"FREAK OpenSSL Bug: What Apple Users Need to Know"},"content":{"rendered":"

\"FREAK<\/a><\/p>\n

Security researchers have discovered a crippling\u00a0OpenSSL bug\u00a0in Apple and Google devices, as well as many high profile websites, which could allow \u201cman in the middle\u201d attacks. These attacks can occur when Apple users are on public Wi-Fi networks, where they can\u00a0be fooled into connecting to rogue servers claiming to belong\u00a0to someone else.<\/p>\n

The \u201cFREAK\u201d vulnerability (CVE-2015-0204<\/a>), short for Factoring attack on RSA-EXPORT Keys, makes it possible for attackers to decrypt and monitor HTTPS-protected traffic.<\/p>\n

A FREAK attack is possible when someone with a vulnerable device\u2014Mac OS X computers, iOS and Android devices\u2014connects to an HTTPS-protected website configured to use an easily breakable key once thought to be dead<\/a>. It requires that the attacker be in a position where they can intercept packets between the endpoint device and the HTTPS-protected website.<\/p>\n

How did we get here?<\/h3>\n

The flaw resulted from a former policy of the Clinton administration, which required weak 512-bit keys to be used in any software or hardware that was exported out of the United States. The U.S. government forbade the export of strong encryption in products shipped to customers in other countries.<\/p>\n

These restrictions were lifted in the late 1990s, but somehow the weaker encryption have managed to remain in widely used software and hardware around the world, including the United States, and went unnoticed by the public\u00a0until recently.<\/p>\n

How to tell if a website is vulnerable<\/h3>\n

If you have a Mac OS X system, open Terminal and run this line of code:<\/p>\n

openssl s_client -connect www.akamai.com:443 -cipher EXPORT<\/pre>\n
If it returns “alert handshake failure” in its answer, then the host site is safe.<\/p>\n
\"how<\/a><\/p>\n
To check if another site is safe, substitute “www.akamai.com” with another hostname.<\/p>\n
How to tell if your browser is vulnerable<\/h3>\n
Type this web address directly into your browser address bar:<\/p>\n
https:\/\/freakattack.com<\/p>\n
On this page, you can see if your browser is vulnerable, and it has a list of every vulnerable website. At the time of writing this post, only Firefox is safe to use on Mac OS X (both Safari and Google Chrome are vulnerable).<\/p>\n
Have hackers figured out how to exploit the FREAK flaw?<\/h3>\n
There is no published attack using this vulnerability, but that doesn\u2019t mean it’s not happening. Given the age of this vulnerability, someone has probably figured out how to exploit it, at least by the NSA. However, successful exploitation is not exactly easy to accomplish without physical access to the hotspot hardware.<\/p>\n
This means that attacks can be launched by anyone who has access to Internet traffic, which includes governments, Internet Service Providers (ISPs), coffee shops or airports, and any other locations offering Wi-Fi hotspots. A malicious hotspot owner could exploit the vulnerability, or someone spoofing the Starbucks hotspot from a nearby location. And a well-versed hacker could pull it off, but it\u2019s really not that simple.<\/p>\n
Dan Goodin at Ars Technica<\/a>\u00a0described what can happen, and said:<\/p>\n
[A]ttackers on a coffee-shop hotspot or other unsecured network can masquerade as the official website, a coup that allows them to read or even modify data as it passes between the site and the end user.<\/p><\/blockquote>\n
How can the FREAK vulnerability be resolved?<\/h3>\n
Apple can patch this on the client side, and they no doubt will soon. Web server hosts can also patch this on the server side, which they no doubt are doing as well.<\/p>\n
UPDATE: Apple Releases FREAK Fix for OS X, iOS and Apple TVs<\/a><\/strong><\/p>\n
Intego is continuing to research this threat and will continue to provide updates as new information becomes available.<\/p>\n
What can you do to stay protected?<\/h3>\n
To stay safe on Macs, use Firefox.<\/p>\n
On iOS devices, avoid using any public Internet access options (i.e. sitting in Starbucks or using free airport Wi-Fi) and doing things like banking and email. If you must use a public Wi-Fi hotspot, use a VPN (see\u00a0Cloak <\/a>as a\u00a0paid\u00a0option, or\u00a0Onavo Protect<\/a> as a free option), don’t send\u00a0personal or private information if you can avoid it, and never accept any software updates.<\/p>\n
\n
\n
\n
Protect your Mac using\u00a0a multi-layered approach to security: Download\u00a0Intego\u2019s award-winning\u00a0Mac Premium Bundle X8<\/a><\/strong>.<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
Security researchers have discovered a crippling\u00a0OpenSSL bug\u00a0in Apple and Google devices, as well as many high profile websites, which could allow \u201cman in the middle\u201d attacks. These attacks can occur when Apple users are on public Wi-Fi networks, where they can\u00a0be fooled into connecting to rogue servers claiming to belong\u00a0to someone else. The \u201cFREAK\u201d vulnerability […]<\/p>\n","protected":false},"author":4,"featured_media":38005,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[151,13,5],"tags":[3151,2020,2023,80,946,2026],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\t\n\t\n\t\n