The measure, which prevented American companies to export products with the strongest data encryption protocol, forced companies to lower levels of security (512 bit was the limit) in products sold to other countries, an option that was never reviewed although the government measure has been withdrawn at the end of the 90s.
This measure was intended to keep open the possibility of “enter” on mobile phones sold by US companies, if the authorities had need to carry out surveillance activities. When the measure expired using weaker encryption standards continued to be part of integrated software products distributed all over the world and even in the United States.
The discovery was made a few weeks ago by security experts who identified the fault as Freak attack. The problem affects OpenSSL and Apple SecureTransport – which derives from the Transport Layer Security protocol, both with vulnerable versions. OpenSSL is a protocol open source used in various products including browsers for Android. The technology used by Apple’s applications for iOS and OSx, such as Safari for iPhone, iPad or iPod.
If exploited, the flaw allows decipher login information and other sensitive data provided in secure connections (HTTPS sites), made from a vulnerable browser. Intercepting the traffic when the browser connects to an HTTPS site and shows the list of available protocols to access supposedly secure services, such as the bank’s website or email, an attacker can force the choice of options and weaker when the connection is established with these parameters takes advantage of the vulnerabilities of the protocols to access the data.
The two companies, Google and Apple, already assured the Cnet who are working in corrections, which have available soon. Apple plans to release a fix already next week and Google is working in the same direction, to get a fix to mobile phones and mobile operators manufacturers.
The researchers found that the failure adiantaram the Washington Post that to date found no evidence that the vulnerability had been exploited and that someone has actually been affected by the risk, but the possibility exists. In the tests we performed easily managed to prove it, guarantee.
In these tests the researchers could force sites to use weak encryption systems, which in a few hours and after that managed to circumvent passwords or access to appropriate other elements of the page.
Written under the new Spelling Agreement
No comments:
Post a Comment