Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Researchers Find New 'FREAK' Security Flaw, Apple Says Fix Coming Soon
- Thread starter MacRumors
- Start date
- Sort by reaction score
Hey, back off, man! If you think you can find a more up-do-date source for banana verses computer computations, feel free to post it, but don't drag me through the mud!
That was my biggest hangup from the article too (which says something about me). Forget the content, that acronym makes no sense!
If you look at the website, the issue mitigation seems to be focused more on servers rather than clients. Though, it's possible that IE simply rejects the use of RSA-EXPORT keys, while Safari and Google's browser for Android Mobile devices still permits them. The fix on the client side then, would be in patching these browsers.
My guess is the issue on the browser side is somewhere in WebKit source code, and that's where the client-side vulnerability lies. On the server end, it just stems from the fact that the current default Apache configuration will tolerate connections from all sorts of old, insecure ciphers.
See above.
While BSD itself probably has nothing to do with it, the answer is pretty simple: at the time, if Apple was found to be exporting "strong" encryption to banned countries, they'd face some stiff fines at the very least, and at worst Steve could've faced jail time, inventory could've been confiscated, etc. Doesn't matter if they didn't write it themselves... if it's on the hard drive of the computer they're selling, they would've been held responsible for it.
Likewise, companies like AOL (which own Netscape, forerunner of Firefox) had to take reasonable extra care to allow export-only versions of their browser to be downloaded outside of the US or permitted ally-countries.
In reality, sure, it probably happened a lot that maybe someone accidentally took a laptop with "strong" encryption with them on a trip to Iran or something, and they might've gotten away with it too. But if there were any reason the government wanted to give you a hard time, and it was easy to prove your export controls were sloppy, that's what they would zero in on.
Yes, back in the early days of the web, there was a "secure" version of Netscape Navigator that you had to purchase a good deal of money for in order to obtain it outside the US borders. It was due to the use of 1024-bit encryption or some such thing.
----------
Are you one of those holding on to Mavericks with a death grip?
http://en.m.wikipedia.org/wiki/Skynet_%28satellite%29
UK military comms satellites. Has been for a while.
Apple is currently supporting Mountain Lion, Mavericks and Yosemite with security updates and Safari updates, so it is reasonable to assume they will all get this problem fixed, probably via a Safari update. Safari will still be vulnerable in Lion and earlier. (Firefox is apparently not affected by this issue, and Chrome is supposed to be getting an update shortly.)
On iOS, I'd expect this fix to be included in the public release of 8.2 after the media event next Monday, assuming Apple found out about it early enough to include it in that version, otherwise they might release 8.2.1 and skip 8.2. iOS 8.1.x and earlier (including iOS 7.x or earlier major versions) will still be vulnerable.
If Apple thinks this is a serious enough issue, they might also release an iOS 7 update for the iPhone 4 (only), as happened previously with "late" iOS 6 updates for security fixes on devices not supported by iOS 7 (e.g. iPhone 3GS).
Both this article and the original Washington Post story do an absolutely terrible job explaining what this bug is, how it can be exploited and what it has to do with Google and Apple.
At the very least they should mention that while Safari and Chrome on OS X are vulnerable to FREAK, Firefox is not.
I had to go to Ars to read a good and understandable explanation of what the heck this is really about.
At the very least they should mention that while Safari and Chrome on OS X are vulnerable to FREAK, Firefox is not.
I had to go to Ars to read a good and understandable explanation of what the heck this is really about.
Last edited:
PGP was available outside USA as a listing in a whole book because of that law. Exporting software was forbidden, but books were allowed.
I remember it well. Here in Japan, I couldn't legally download the US version of Netscape (because, I guess, Japan was one of the "rogue nations" the US spooks were trying to thwart).
Anyway, I simply went through a US proxy server and downloaded the secure version.
Those were the days...
This was in the era that nearly saw Phil Zimmermann prosecuted for PGP. He ended up publishing it as a book to underscore the rush to censorship that was going on in Washington. There were two attempts (that I know of) to sneak draconian encryption-criminalization wording into unrelated bills-- both by then-Senator Joe Biden.
Freak !!
What word is next i wonder...
I would add, anytime the government gets evolved in anything u have trouble when encryption is also mentioned.
Maybe its about time to stop using all tech.... Through that iPhone out the window like u saw in so many TV shows/movies.
I have no problem with that.
What word is next i wonder...
I would add, anytime the government gets evolved in anything u have trouble when encryption is also mentioned.
Maybe its about time to stop using all tech.... Through that iPhone out the window like u saw in so many TV shows/movies.
I have no problem with that.
Last edited:
Ooops...
I still find it disgusting on a high level that our government would know about flaws in software that corporations and people use, and not alert anyone about it, and work to exploit those flaws to spy on us.
And including 'backdoors' only goes as far as that 'backdoor' is hidden, and given the sophistication if hackers and investigators these days, they aren't likely to stay hidden for very long.
I still find it disgusting on a high level that our government would know about flaws in software that corporations and people use, and not alert anyone about it, and work to exploit those flaws to spy on us.
And including 'backdoors' only goes as far as that 'backdoor' is hidden, and given the sophistication if hackers and investigators these days, they aren't likely to stay hidden for very long.