The flaw can force web browsers to return to a lower encryption mode, much easier to break.
IT experts from INRIA, Microsoft Research and IMDEA Spanish Research Institute have discovered a new major flaw affecting the encryption system TLS / SSL. It can allow malicious people to force an SSL transaction back to a previous version of the protocol and then break it more easily. The case was unveiled this morning in the pages of the Washington Post.
The flaw was baptized Export Factoring RSA Keys (Freak) by reference to the SSL encryption keys. It is the legacy of the security policy of the United States of the 1990s NSA had then deliberately made sure to have a back door for RSA encryption web. Although this practice has been abandoned since it seems that the device is always present in some systems.
The flaw is exploited from such bugs in Safari and Android, but also from the OpenSSL infrastructure. Millions of web sites would be affected. Among them, American Express sites, the White House, the FBI and even the NSA include cities. Web servers through the use of content delivery networks (CDN) would be particularly affected. This would be the case Akamai – who announced floor on a patch.
Apple is also working on a fix, and Google announced that a patch had already been distributed to partners for Android. As for Internet Explorer, Chrome and Firefox, they are not affected.
No comments:
Post a Comment