A new bug has been discovered that could compromise encrypted data, even that which was previously thought to have been secure.
The flaw – which has been named “Freak” – was first discovered by encryption and security expert Karthikeyan Bhargavan. The flaw forces data travelling between visitors and vulnerable sites into using weak encryption making it much easier to crack.
When it was first discovered, Freak was thought to only impact a relatively small number of Android and Blackberry phones, as well as Apple’s Safari web browser. In a new warning, however, Microsoft has suggested that many more devices could be impacted.
Big names top list of casualties
Microsoft’s announcement in early March prompted scientists from America’s University of Michigan to track the bug and get a clear indication of just how many sites could be affected. Its research suggests that 95,000 of the web’s one million most popular websites could be susceptible to security breaches. Some big name casualties include groupon.com, tinyurl.com, cancerresearchuk.org, legislation.gov.uk, ibtimes.co.uk, bhs.co.uk, and talktalk.co.uk. The Michigan team also created a tool for web users to ascertain whether their browser is putting them at risk.
Reaction to the announcement has been varied. Google has already updated Chrome for Macs to prevent such breaches, but has not yet outlined a timescale for Android devices. Apple, meanwhile, said it expected to produce a patch by the end of the month.
Microsoft has been open with its users, even though the outlook does not look good. It said that every current version of Windows that uses Internet Explorer was vulnerable, as was any non-Microsoft software that uses Secure Channel. The Microsoft report went on to say that action could be taken by users to better protect themselves, although doing so could cause “serious problems” for other programs.
Offering its own advice, the team from the University of Michigan urged users to ensure they have the most recent browser version installed and to check for updates frequently. Those running a server, meanwhile, are told to “immediately disable support for TLS export cipher suites”, as well as any other cipher suites known to be insecure.