[MacTUG] Apple Safari, Chrome, Android browsers subject to major HTTPS flaw | Electronista
Marlon A. Griffith
m3griffi at uwaterloo.ca
Wed Mar 4 13:51:23 EST 2015
"""
Researchers have discovered a critical flaw in the backbone of
HTTPS-protected traffic, and it is an exploit that has potentially
existed for decades. The flaw exists in approximately 36 percent of
websites that use HTTPS, and miscreants are able to intercept and
modify data passing between a vulnerable browser and a susceptible
site. At the moment, OS X and iOS Safari and Chrome are vulnerable to
the attack, as are virtually all Android devices ever produced, plus
all browsers on Linux.
The flaw, published as CVE-2015-0204, is a factoring attack on
RSA-EXPORT. The so-called FREAK attack is possible when a user with a
vulnerable browser connects to a HTTPS-secured website with a weak
cipher. Attackers who can monitor traffic between vulnerable users can
inject packets into the data stream, forcing a 512-bit encryption
connection, and garner the website's private key. Following such a
data collection, users can masquerade in a public hotspot as that
website, or monitor all traffic through that hotspot to the website.
http://www.electronista.com/articles/15/03/03/freak.attack.forces.low.complexity.90s.era.encryption.mandated.by.us/
"""
More information about the MacTUG
mailing list