'FREAK' security flaw stems from 1990s: Research

A newly discovered Internet security flaw could leave many websites vulnerable to hackers because of weak US encryption standards in the 1990s, researchers said. The flaw dubbed “FREAK” could leave thousands of websites open to attacks if the problem is not patched, according to papers released by French and US researchers. The flaw was discovered by a team led by Karthikeyan Bhargavan at INRIA in Paris – the French Institute for Research in Computer Science and Automation – and disclosure coordinated by Matthew Green, a cryptographer at Johns Hopkins University. A research paper said the flaw comes from “a class of deliberately weak export cipher suites… introduced under the pressure of US government agencies to ensure that the NSA would be able to decrypt all foreign encrypted communication.” Green said in a blog post that even some sites maintained by the National Security Agency and FBI appeared to be vulnerable. “Since the NSA was the organization that demanded export-grade crypto, it’s only fitting that they should be the first site affected by this vulnerability,” Green said. Green and other researchers said the flaw stems from US government-imposed standards for encryption in software that was exported – a short-lived effort to allow the United States to be able to access software exported to unfriendly regimes. AFP