FREAK attack security flaw – what you need to know
- March 9, 2015, Pavel Krčma
- Password & security
Security experts have identified a new web encryption vulnerability that has been dubbed the ‘FREAK attack’. FREAK attack ‘allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.’ The sensitive data could, for example, involve passwords that a vulnerable Internet browser (the client) sends to a website you are logging into (the server) when initiated by the browser even though it is using HTTPS.
Here are a few things you need to know about your passwords and Sticky Password:
- Your passwords stored in Sticky Password are not affected by the FREAK vulnerability. Your passwords are encrypted locally on your device (computer, smartphone or other device) using AES-256.
- Your Master Password is safe because it is never transmitted.
- Your StickyAccount is safe. Sticky Password servers are not susceptible to the Freak flaw because they do not accept ‘export-grade’ encryption.
Remember: an important way you can mitigate the risks that accompany a stolen password stolen is to use a unique password for each website.
Mobile devices are particularly at risk of the FREAK vulnerability. If you’ve been accessing online accounts through your mobile device over unprotected (public) WiFi networks, we recommend that you check for updates for the browsers you’ve been using. In cases where you’ve been using a vulnerable browser, we recommend changing passwords 2 times: now, and then after you have applied the update for your browser – when it becomes available.
Check your browser’s vulnerability. This is the current situation:
- Firefox: all versions of Firefox are known to be safe.
- Chrome: Update to Chrome 41
- Internet Explorer: is vulnerable. Wait for a patch before continuing to use Internet Explorer.
- Safari: is vulnerable. Wait for a patch before continuing to use Safari.
- Android Browser: is vulnerable. Switch to Chrome 41.
- Blackberry Browser: is vulnerable. Wait for a patch before continuing to use Blackberry Browser.
- Opera: on Mac and Android is vulnerable. Update to Opera 28 (when stable).