Decades-Old Legacy Encryption Found in iOS, OS X, Android - Apple Says Fix Is Coming

SecurityLegacy encryption technology has been found in iOS, OS X, and Android that allows malicious hackers to potentially sniff data going to and from servers that appear to be secure. The vulnerability has been dubbed FREAK by researchers, and Apple told TechCrunch, "We have a fix in iOS and OS X that will be available in software updates next week."

FREAK is left over from idiotic government controls on encryption from the 1990s, when the U.S. government maintained strict controls over encryption technology. Only "export grade" encryption could be installed on computers leaving the country—export grade encryption was easily breakable by the U.S. National Security Agency.

And the bad guys.

The U.S. has long-since reversed this policy, but export grade encryption still resides in iOS, OS X—including Safari—and Android. Researchers discovered that malicious hackers could force many websites to accept these legacy encryption schemes, and thus listen to traffic. From the website set up by the researchers:

A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204. Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.

They have identified many servers on the Internet vulnerable to this problem, and those sites are listed on the FREAKAttack.com site. They include 9.7 percent of Alexa's top one million websites. That's a scary figure of more than 97,000 websites, but as of this writing, it's down from 12.2 percent.

Users visiting FREAKAttack.com site are also informed if their browser is vulnerable to the exploit. As noted above, Apple has said a patch will be released next week. Google said that it has already provided patches to OEMs—knowing Android's miserable update history, it's likely few Android devices will ever see a fix.

This is yet another example of how intentionally crippling encryption for the sake of government surveillance ultimately makes all of us vulnerable. Restricting encryption technology in the first place not only encouraged development of encryption technologies outside the U.S., it resulted in consumers around the globe being vulnerable to all manner of attacks from the bad guys.

More than a decade and a half after those restrictions were lifted, we are still paying the price—and remember that though this exploit was just found by the good guys, its conceivable a criminal organization or government has been using it for years.

As consumers, we need strong encryption to protect our data, our identity, and everything else associated with a modern life of computers and mobile life.