Pinterest Stumbleupon Whatsapp
Ads by Google

Another month, another online security flaw. This time, the vulnerability is one that affects your browser, and it isn’t limited to any one browser, nor any single operating system. Are you affected by the FREAK security bug? How can you find out, and what can you do to protect yourself?

What is the FREAK Security Vulnerability?

muo-security-freak-https

Discovered through cooperation between researchers from IMDEA, INRIA and Microsoft Research, FREAK (Factoring RSA Export Keys) exploits a weakness in the SSL/TLS security protocols. The export cipher weakness – apparently put in place at the behest of the surveillance-happy NSA The NSA Can Spy On Almost Everybody, Google Buys Songza, And More... [Tech News Digest] The NSA Can Spy On Almost Everybody, Google Buys Songza, And More... [Tech News Digest] Online book sales have overtaken retail book sales, the UK is investigating the Facebook experiment, IFTTT makes Yo useful, Oculus Rift experiment gives third-person perspective, and Google tests our general knowledge with Smarty Pins. Read More – can now be easily exploited, thereby enabling anyone with a reasonably powerful computer to crack public keys. Worse still, when combined with a man-in-the-middle attack What Is A Man-In-The-Middle Attack? Security Jargon Explained What Is A Man-In-The-Middle Attack? Security Jargon Explained Read More  (as with the problem with Lenovo bundling Superfish malware on its laptops Lenovo Laptop Owners Beware: Your Device May Have Preinstalled Malware Lenovo Laptop Owners Beware: Your Device May Have Preinstalled Malware Chinese computer manufacturer Lenovo has admitted that laptops shipped to stores and consumers in late 2014 had malware preinstalled. Read More ), the vulnerability can be used to hack websites and their visitors’ browsers.

Put simply, this is a bit of a problem, not only for users, but for website owners too. Problem sites include online stores and, ironically given the origins of the flaw, US government websites.

Ars Technica’s Dan Goodin called this vulnerability “potentially catastrophic” while Washington Post’s Craig Timberg states:

“The problem illuminates the danger of unintended security consequences at a time when top U.S. officials, frustrated by increasingly strong forms of encryption on smartphones, have called for technology companies to provide ‘doors’ into systems to protect the ability of law enforcement and intelligence agencies to conduct surveillance.”

Who is Affected?

A list of affected websites, accurate as of March 6th, includes businessinsider.com, groupon.com, zdnet.com, talktalk.co.uk, motorola.com, Santander.com.br, and many others. It is particularly ironic that some of those sites affected are those reporting the vulnerability. This accounts for 9.5% of the host servers for Alexa’s top 1 million websites, with 26.3% of servers worldwide still vulnerable to this problem.

Ads by Google

But as you should have gathered by now, it isn’t only websites that are affected by the FREAK bug. Users are too.

Working out who is affected is simple. If you’re using Windows, you’re affected, but before you non-Windows users attempt to stifle your snorts of derision, read this: browsers on other platforms are also affected.

Are YOU Affected by FREAK?

muo-security-freak-bug

To find out if the FREAK security bug affects you directly, head to freakattack.com/clienttest.html (no user information is required) and read what it tells you about your browser. If you’re affected you’ll spot a couple of warnings highlighted in red, as illustrated, and a list of the cipher suites that can be hacked using the vulnerability.

Vulnerable Browsers

Six browsers are affected, across five platforms, Mac OS X, Blackberry and Linux included.

  • Internet Explorer users should observe the Microsoft Security Advisory before proceeding. Until a fix is rolled out, it is simpler to avoid using IE, as the workaround is potentially destructive to some tasks.
  • For Chrome on Mac OS, a patch is available now, so you can update OS X the usual way to deal with this.
  • Safari users (on OS X and iOS) will need to wait, making this a good opportunity to switch to Chrome or Firefox.
  • Worryingly the stock Android browser and Chrome for Android are affected by this, with no sign of any updates as yet. Despite this, you shouldn’t be using the stock browser as it is susceptible to various other problems.
  • Blackberry users – of which we know there are still many, if the reaction to my week with a Blackberry Z10 Living with a BlackBerry: Lame Duck or Genuine Android Alternative? Living with a BlackBerry: Lame Duck or Genuine Android Alternative? The new BlackBerry Z10 is certainly impressive – but how does using it compare with using a new Android or Windows Phone handset? I decided to find out. Read More  is anything to go by – are also affected.
  • Opera users on Mac OS X and Linux are susceptible to the FREAK vulnerability, with no indication at the time of writing of any impending fixes.

As you should have noticed, there is one clear winner here: Mozilla Firefox. If a version is available for your operating system, we recommend that you switch Switching From Chrome: How to Make Firefox Feel Like Home Switching From Chrome: How to Make Firefox Feel Like Home So, you have decided that Firefox is the better browser for you. Is there anything you can do to make Firefox less of a foreign environment? Yes! Read More . That said, Chrome for Windows appears to be safe as well.

muo-security-freak-mobile

Take Action Now: Kill the FREAK Bug

If there is to be any silver lining to all of this, it’s that the main online stores have remained unaffected, and that Mozilla Firefox owners – long portrayed as a dying breed in the face of Google Chrome – can feel vindicated for sticking with the more secure option.

Some behavioural change is required. Drop Internet Explorer if you’re on Windows, and switch to Firefox on any platform where it can be used (after all, it’s arguably more flexible than Google Chrome Firefox Freedom! Four Things Chrome Doesn’t Let Users Do Firefox Freedom! Four Things Chrome Doesn’t Let Users Do Think Chrome can do everything? Think again. Here are four things Firefox users can do easily that Chrome users basically can't. Read More ). As ever, you should maintain an active firewall, whether built into your operating system or provided by a trusted third party company.

Finally, make sure you accept and install all operating system updates over the coming weeks in order to kill the FREAK security bug.

Leave your questions in the comments.

Featured Image Credit: Woman holding laptop via Shutterstock

Image Credit: HTTPS and Lock Symbol via Shutterstock, Alexander Supertramp / Shutterstock.com

  1. mindtrip
    March 11, 2015 at 4:05 am

    Oh, and to be safe, I completely removed Chrome, downloaded and installed a fresh copy straight from Google--still vulnerable.

    • Christian Cawley
      March 14, 2015 at 6:50 pm

      Thanks Mindtrip, good advice.

  2. mindtrip
    March 11, 2015 at 4:04 am

    Google Chrome 64-bit is still vulnerable. I have shut off all antivirus, Waterfox (64-bit firefox) registers as fine but 64-bit Chrome always shows it is vulnerable. I suggest checking for yourself and updating this article if you confirm.

  3. Richard Allen
    March 10, 2015 at 9:57 pm

    Android:
    Chrome Beta is SAFE and actually very stable.
    Firefox is SAFE.
    Dolphin Browser is VULNERABLE.

  4. No_name
    March 10, 2015 at 9:07 pm

    Apple have apparently released an update for the 3rd generation Apple TV?

    How would the Apple TV be affected and what does this mean for owners of the previous Apple TVs?

  5. mastaeit
    March 10, 2015 at 5:38 pm

    Naked browser (Android) - not affected.

Leave a Reply

Your email address will not be published. Required fields are marked *