Should you be 'Freak'ing out over the Freak vulnerability?

Is the latest vulnerability something you should be concerned about? The short answer is yes, so let’s take a look at it.

The first important point is, to date, we have yet to see anyone exploiting this vulnerability in the wild. That doesn’t mean it won’t happen, it just hasn’t been seen at this point in time.

As it has been reported, the vulnerability itself is tied to an old government policy that required all US software companies to use weaker security in any encryption algorithms being exported for overseas use. Thankfully that government program is no longer in place.

Where the issue has come to light however, is related to backwards compatibility, with almost a third of the world’s websites and some very popular web browsers continuing to support the old, weaker encryption standard. This particular vulnerability is tied to a method where the attacker can force a browser to use the weaker encryption standard. Once that less secure encryption is forced on a user, a hacker can crack that weak encrypted session, gather your credentials, and any other data you passed via your browser session. This is known as a Man-In-The-Middle (MITM) attack, and, while this was not easy to do when the program was in place, more powerful computing platforms and existing botnets have made cracking the weaker encryption standard relatively easy.

While the old, weaker encryption standard is now typically disabled by default, it still exists on many sites around the world and is supported by a number of browsers, and it can be forced back on via this vulnerability. Apple’s Safari and Google’s Android browser are both affected, and both vendors are working on a patch. Those affected websites need to fix their configuration to stop supporting the outdated weak encryption standard, and customers should download the latest patch for their browser from the vendor.