FREAK Internet security flaw.
Would the agilebits team like to comment on this latest flaw?
You can check this by going to http://www.freakattack.com
1Browser is affected as are all Safari versions. Chrome is unaffected.
Apple says a patch is forthcoming.
Comments
-
Would the agilebits team like to comment on this latest flaw?
It has: see this post on the 1P for Mac forum.
Stephen
0 -
Thanks. Unfortunately Apple, being Apple, will most likely patch iOS 8 compatible devices and not iOS 7 ones. Or Mavericks and Yosemite.
0 -
That is entirely possible, but we won't know until there is further information from Apple. :)
0 -
It has been discovered the FREAK now affects Windows as well.
reuters.com/article/2015/03/06/us-cybersecurity-freak-microsoft-idUSKBN0M220920150306
The recommendation is to disable RSA export ciphers via gpedit.
0 -
iOS 8.2 and OS X updates for 10.8 - 10.10 are out. iOS 8.2 has fixed the FREAK attack SSL/TLS issue for me.
0 -
I've read of plugins for Firefox that force websites to use HTTPS. Might be something worth checking out. I looked into that, but couldn't tell if the plugins for that is safe.
0 -
The FREAK issues is only partially resolved as the iOS and Android App Stores have been found to be affected.
"The FireEye researchers didn't identify the vulnerable apps. Android and iOS users should contact specific app makers to find out if their wares are affected. To test if browsers are vulnerable, visit this page. This SSLLabs page will test if a server offers weak, 512-bit keys."
0 -
I just read an article that some/many third party Apps are vulnerable to FREAK since they are using outdated libraries. Please reassure me that 1Password doesn't have this problem. That would be sad if it does since the main reason to use 1Password is to store passwords used with https sites.
0 -
Hi @itechieguy,
Please see above. Thanks!
0 -
Does anyone use that HTTPS plugin for Firefox that forces websites to use the HTTPS?
It's a plugin that's mentioned here and there on the net, but don't know if it works or is safe. But the plugin sounds like a good idea as when I go to a site. I just plug in the www. or click on a link.
0 -
@baker: I think HTTPS Everywhere is what you're referring to. I've used it in the past, and it is handy as a kind of shortcut, automating the process of preferring a secure connection, where available.
The bad news is sites themselves have to support secure connections; and this wouldn't protect against a downgrade attack like FREAK in the first place; that's up to the browser (or OS) to patch the flaw. The good news is that most have by now.
I am really not a fan, though, of HTTPS Everywhere being billed as
a Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure
since the addon/plugin/extension isn't actually making the browser more secure at all: SSL/TLS are built-in in the first place; HTTPS/E is just trying to force secure connections on sites that support it but the user hasn't expressly taken advantage of it. It's a bit misleading (though I'm sure it isn't intentional -- these things can be hard to communicate), especially since you have to click on 'read more' to view the part where they say
HTTPS Everywhere can protect you only when you're using sites that support HTTPS and for which HTTPS Everywhere include a ruleset
which is true. I know this has confused novice users and had them believing that simply installing HTTPS/E makes their browser more secure. Always read the 'fine print'. ;)
0 -
Yeah, it's HTTPS Everywhere. I'm guessing that plugin is safe where you linked to? I tried looking it up through Firefox's addon search, but couldn't find it. Could only find it via a link like what you posted.
And yes, I kind of understood for HTTPS Everywhere to function, the website would have to support HTTPS. But that it would force the website to use HTTPS instead of HTTP. As I guess there are websites out there that can/use either one when going to their site.
0 -
We're not in the business of credentialing 3rd party apps/extensions as "safe," but I personally have used it, Brent mentioned he has used it, and it is made by the EFF, so I'll leave you to draw your own conclusions from that. :)
As I guess there are websites out there that can/use either one when going to their site.
Yes, there are still many sites that don't default to HTTPS (AgileBits.com does), and those are cases where HTTPS Everywhere or similar could be handy.
0 -
@baker: Just to follow up with some additional info, there are both malicious and benign websites that use either secure or insecure connections. HTTPS is just a matter of using encryption to establish (and maintain) a private, secure connection between your web browser and the web server at the other end.
Of course, plenty of legitimate sites use 'plain old' HTTP connections when privacy and security are not necessarily a concern (when going to a news website, or watching your web videos for instance). Traditionally websites were predominantly not using secure connections, and you would be directed to a secure page when appropriate (logging into your bank online, ecommerce transactions, etc.) This was because the encryption being performed is resource intensive to a degree (on both your computer and the webserver, but the webserver has a lot more than just your connection to manage).
As computers (and mobile devices!) have become more powerful and have encryption technology built in, there is much less of a computational burden on both the client and the server. Secure connections have become less 'expensive' (both literally and technically); and similarly threats to privacy and security have escalated; so more and more sites are either offering support for HTTPS connections or using themby default. In time probably all sites will use HTTPS exclusively, especially as Google moves to ranking secure sites higher in search results.
As with all software, you have to decide who you trust (unless you've audited the source code yourself); and while AgileBits doesn't officially endorse, support, or vet 3rd party extensions or other software, as a private citizen I hold the Electronic Frontier Foundation in high regard as a an organization that advocates for privacy and individual rights. :)
0 -
I use HTTPS everywhere too but according to the EFF, HTTPS Everywhere for Chrome is always beta because of the way Chrome works.
Mobile devices don't support extensions like the traditional PCs do.
0 -
0
-
@wkleem: Yep! That's the one I linked above. Mainly I think it's that Chrome evolves so quickly, and often extensions get broken in the process. Mobile browsers don't have extension APIs yet, but with iOS gaining extension support perhaps that will change in the future. Cheers! :)
0 -
Interesting. Thanks for the additional info! :)
0
