Attachments
Last edited:
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Researchers Find New 'FREAK' Security Flaw, Apple Says Fix Coming Soon
- Thread starter MacRumors
- Start date
- Sort by reaction score
Anyone who has looked at OpenSSL code knows what kind of horror is still lurking out there from the 90's. Why developers insist on backwards compatibility with broken crypto is beyond me.
Isn't the TWERK vulnerability employed by the secret service for the Pres at the White House already? 
Can encryption protect you if you use a homeland security red flag word as a passcode?
"The Skynet 5 satellite is based on the Eurostar E3000 bus design, weighs about 4700 kilograms, has two solar panels each about fifteen metres long, and has a power budget of five kilowatts. It has four steerable transmission dishes, and a phased-array receiver designed to allow jamming signals to be cancelled out. They will also resist attempts to disrupt them with high-powered lasers.[16]" http://en.m.wikipedia.org/wiki/Skynet_(satellite)
forget banana encryption blasting, where can I get two 15 metre solar panels that produce 5 kilowatts?
Can encryption protect you if you use a homeland security red flag word as a passcode?
"The Skynet 5 satellite is based on the Eurostar E3000 bus design, weighs about 4700 kilograms, has two solar panels each about fifteen metres long, and has a power budget of five kilowatts. It has four steerable transmission dishes, and a phased-array receiver designed to allow jamming signals to be cancelled out. They will also resist attempts to disrupt them with high-powered lasers.[16]" http://en.m.wikipedia.org/wiki/Skynet_(satellite)
forget banana encryption blasting, where can I get two 15 metre solar panels that produce 5 kilowatts?
Last edited:
Just to put an update on this. This affects all https connections with Safari and Google Chrome on OS X and iOS - making them potentially vulnerable.
Firefox on OS X tests as safe. iOS is stuck - best not to make https connections on those devices till the patch comes out (I know pretty bad).
Google is supposedly rolling out an updated version of Chrome to fix this as well - but for now using Firefox is the best plan till Apple gets an update tested and in place (as this will be increasingly exploited as time goes on).
The possible out for iOS users would be if Google's Chrome update gives users an out on the iOS platform (cross fingers). Wish Apple would reconsider allowing Firefox on iOS - monocultures in real life or the technical security can be problematic.
Firefox on OS X tests as safe. iOS is stuck - best not to make https connections on those devices till the patch comes out (I know pretty bad).
Google is supposedly rolling out an updated version of Chrome to fix this as well - but for now using Firefox is the best plan till Apple gets an update tested and in place (as this will be increasingly exploited as time goes on).
The possible out for iOS users would be if Google's Chrome update gives users an out on the iOS platform (cross fingers). Wish Apple would reconsider allowing Firefox on iOS - monocultures in real life or the technical security can be problematic.
Last edited:
I believe it can only be exploited if the server you connect to allows the downgraded certificate. Many sites, like banking sites, don't, and haven't for quite a long while. I use Firefox anyway, I'm safe regardless.
That's why TrueCrypt seems the only true encryption solution, although the authors "officially" claim that the application is weak and hence it was discontinued.
I followed your advice and now some Nigerian prince sniffed my banking password and emptied out my 401k.
Please send your contact details, or those of your lawyers. Mine wants to discuss the validity of your advice.
I don't see any updates, so let me post this here: Windows is also affected
http://arstechnica.com/security/201...rippling-freak-bug-affects-windows-after-all/
http://arstechnica.com/security/201...rippling-freak-bug-affects-windows-after-all/
Ah, another example of "well intentioned" government regulation hard at work! Bring on Internet regulation baby! Woo Hoo!
Really, I'd like to dump some tea (or maybe Starbucks these days) into Boston harbor to celebrate but all those record snow piles from global warming are currently blocking it.
but all those record snow piles from global warming are currently blocking it.
This would be on the politics subforum, but the snowpiles actually are caused by global warming.
But don't let the differences between climate and weather break your own anti government bashing.
The update is out now but only for 10.8.5, 10.9.5, and 10.10.2. Snow Leopard is no longer supported by Apple.
Seemed. It's strongly suspected the encryption keys were stolen, most probably by the government. They (the FBI and CIA) had straight up asked Microsoft to put backdoors into BitLocker and for the encryption keys. According to Biddle, an ex-Microsoft employee, they usually got what they wanted without overtly building backdoors. That True crypt left a message saying they were folding and BitLocker (a Windows encryption software) was a good solution was seen as a warrant canary. Also, their instructions for creating encrypted disk images in OS X did not require setting a password, hence the impression that that too was compromised in some way.
There is an emblematic case from a brazilian banker called Daniel Dantas in 2008. It's said that his archives (supposedly containing illegal transactions) were encrypted with TrueCrypt and could never be deciphred, something that may or may not be true, since the decrypting process was being made with the help of FBI. Below there is a link (in portuguese) about the case. The title basically says: "Not even FBI can decipher Daniel Dantas' files, says newspaper".
http://g1.globo.com/politica/noticia/2010/06/nem-fbi-consegue-decifrar-arquivos-de-daniel-dantas-diz-jornal.html
With Truecrypt's downfall, I'd say that case is even more emblematic. Also emblematic was the court case that said that individuals cannot be compelled to give up passwords. But 2008 is not 2015, and the game has gotten even more aggressive.
I think it is safe to assume that both Bitlocker and FileVault have been backdoored or compromised. Frankly, any closed source encryption software, especially from a US company, should be regarded as absolutely untrustworthy.