Ars Technica is reporting on a new attack against HTTPS. Called FREAK, the devices reported as vulnerable include iPhones, Android devices, and Macs running OS X. The attack (as I understand it) is that an active MITM can inject packets that will result in a downgrade to the old 512-bit RSA-EXPORT keys to secure the connection. Which of course, isn't very secure at all, and can therefore be bruteforced.
How come these keys are still active in so many devices and services? Especially Apple devices - we all know how they often cut loose dated technology quickly. I would have thought once the export of crypto from the States was relaxed, these weak keys would have been pulled much quicker than appears to be the case.
Further reading: Blog post by Matthew Green, the official website (appears down as I post).
Aucun commentaire:
Enregistrer un commentaire