According to a recent announcement pertaining to the security flaw, which has been dubbed as FREAK- Factoring RSA Export Keys, had considerable repercussions for both Apple and Android devices, who utilizes HTTPS to connect to other websites. This flaw offers an important lesson as to why consciously weakening the cryptographic standards will open the backdoors or any other forms of protection to become an ultimate emphatically bad idea.
Understanding the problem:
It is important to have knowledge about the history to understand the scope of the problem. The United States government used to treat the cryptography as a matter of national security way back during the early 1990s. Due to the issue, the matter was divided the system in split, in which the United States government started using on level of this cryptography carrying out their domestic purposes, however using the other level for internationally distributed programs, which used a completely different set of encryption level for the deployed programs. For example Netscape, was distributed in both a 40-bit and a 128-bit version. This required the software implementation standard to be equipped to support both a “weak” version, as well as a “strong” version of a standard, along with NSA and other governmental agency, which are looking for “weak” version to ensure national security. At the end, government eventually removed all these restrictions enabling the foreign connections to be secured by using the same method like the domestic software. During these restrictions, SSL started getting in existence. A 512-bit RSA key was the largest the key that was allowed by the US companies to be distributed outside the United States of America.
Security can be destroyed by bugged validation process:
According to Matthew Green who is a cryptographer as well as researcher at Johns Hopkins University, some of the modern TLS clients, which include Apple’s SecureTransport and OpenSSL, are mostly bugged. Due to this bug, the clients will be asked to accept RSA export-grade keys even when they have not asked for export grade keys. He added that the impact of this bug could be quite vicious. This bug makes the client as well as the server supports export RSA vulnerable and affect the overall quality of the service. This problem can actually be avoided by phasing the export-RSA on schedule. Some of scans suggest that export-RSA standard is still being supported by 36.7% of the websites serving browser-trusted certifications. Some of the affected websites are Whitehouse.gov, NSA.gov, tips.FBI.gov, and irs.gov. Apart from government websites, nearly 10000 other top websites have got impacted by this bug.
A caution:
Freak is the latest example of bad security decision even after decades. The government officials in both UK and US are looking out for limited encryption and emphasizing on a method that supports most of their public security functions, but giving the law enforcement authority to break the standards for good purpose only. The only way government can avoid all these messes and problems is by not allowing to create all these initiatives.
