Close

Technology companies such as Google and Apple are scrambling to create a patch that will fix a major security flaw that for more than a decade has left their devices vulnerable to hacking when they visited websites that were once considered secure.

The flaw was the result of a former policy of the U.S. government that prevented the export of strong encryption and required that weaker "export-grade" products be shipped to countries in other countries.  These restrictions were lifted in the late 1990s, but the weaker encryption became widely used in software around the world and eventually in the United States.

The problem with export-grade encryption amazed researchers, who have dubbed the flaw "FREAK" for Factoring attack on RSA-EXPORT Keys.

Thousands of sites are vulnerable, including that of the US National Security Agency - the same agency that pushed for weaker export grade encryption, according to Ed Felten, director of Princeton's Center for Information Technology Policy.

"There is an important lesson here about the consequences of crypto policy decisions: the NSA's actions in the '90s to weaken exportable cryptography boomeranged on the agency, undermining the security of its own site twenty years later," Felten says.

In recent weeks, researchers discovered that they could force web browsers to use the weaker encryption, then crack it in just a few hours.  Once the security has been breached, hackers can then steal passwords and other personal information and even use the breached machines to launch a broader attack on web sites themselves.

The problem highlights the danger of unintended security consequences at a time when the U.S. government is pressuring technology companies to provide doorways into their systems making it easier for law enforcement and intelligence agencies to conduct surveillance.

Christopher Soghoian, principal technologist for the ACLU, says that "You cannot have a secure and an insecure mode at the same time... What we've seen is that those flaws will ultimately impact all users.

The bug affects the SSL/TLS servers and clients, in particular OpenSSL browsers.  The default browser that shipped Android 4.4 KitKat, for example, is affected.  Apple's Safari browser for both its desktop systems and its mobile devices are also affected by the flaw but Chrome, Internet Explorer and Firefox are not.

Apple plans to release patches for the bug sometime next week.  However, a fix for Android users could take some time, as Google must provide a fix to all its Android partners such as handset makers and even wireless carriers.  It will then be up to them to implement the patch in their software and push it out to their users.