90s US "weaker encryption" policy comes back to haunt it

By JC Torres/Updated: March 4, 2015 5:44 am EST

The US government has been fighting against recent efforts in the tech industry to strengthen security measures, especially against government snooping. In essence, it wants a backdoor into services and devices in order to get access to crucial information it needs to fight crime and terrorism. Apparently, this has been done before and looks like the government needs to take heed from that. A security policy enacted decades ago has found its way back to the US and is compromising the security of secure websites, including some of the government's own.

During the so-called "Crypto Wars", the US forbade export of strong encryption in software products shipped to other countries. The weaker "export-grade" encryption only used 512 bits and was designed to allow the US to break such cryptography for the sake of national interests. Although the government did lift that ban eventually, the vulnerability has apparently been too integrated into software to be removed and is now making its way back to the country with disastrous results.

Being nicknamed the FREAK flaw, the vulnerability allows hackers to force some browsers to use the weaker encryption. Given the 512-bit key, which security researchers consider to be too weak, it can take an average of 7 hours for a hacker to break it and deploy a man-in-the-middle (MITM) attack, allowing him or her to snoop in and get access to accounts. passwords, and other personal information.

While the US government might actually be happy that such a backdoor does still exist, even its own websites are at risk. Actually, a large majority of people are at risk, even when they think they are using secure connections via SSL. According to reports, more than one-third of websites are vulnerable. And of the 14 million that are vulnerable, 5 million remain to be so even after being made aware of the issue. Ironically, one of those is NSA.gov. Security proponents are using the incident as a warning to those who push for intentionally weakening software security for the sake of law enforcement. When you create a backdoor, it could potentially take decades for it to be even noticed.

Tech companies with web products are quickly responding to the threat. Apple says it will be rolling out an update for Mac OS X and iOS. Firefox on both desktop and mobile are safe. Google's desktop Chrome isn't affected but its Android browsers are. Google says it has provided a patch already, but it will be up to its partners, both OEMs and carriers, to roll those out on their own schedule.

SOURCE: Washington Post