Controversies around massive bugs are becoming a cliché in cybersecurity, with the latest "Freak" vulnerability following on from previous scandals with equally dramatic names: Heartbleed, Shellshock and, er, Poodle.
Indeed ever since news of Heartbleed broke the security of SSL, the layer that protects the traffic from your web browser to the server, has been in question, with many companies pouring funds into the Linux Foundation to secure the upkeep of OpenSSL, a variant of the technology.
So this time around, what can be learnt from this flaw?
1. Freak is not as bad as Heartbleed
Media interest in major vulnerabilities has dulled since the furore over Heartbleed, with each revelation being received with less interest as people have absorbed the notion that insecurity is the norm, rather than the exception.
Fortunately the lack of hyperbole is justified this time, as Keith Bird, UK MD at security vendor Check Point explained: "Even though the vulnerability affects a significant number of major websites worldwide, the risk to consumers and business users of their data being intercepted by a hacker exploiting it is minimal, as it would take a great deal of targeted effort to do so.
"As the flaw affects the Safari browser on iPhones, iPads and Macs and Android’s built-in browser, but not Google Chrome or the latest versions of Internet Explorer or Firefox, users can simply switch to a web browser that’s not affected to mitigate any risk from this vulnerability."
2. There’s nothing wrong with your SSL certificates
Digital certificates are the method by which web browsers can confirm whether a given connection is trusted or not by checking it against a verified signer. Whilst there have been issues with them in the past, Freak is a different type of bug.
"Your existing certificate will continue to work as intended; no certificate replacement is needed," said Rick Andrews, technical director at Symantec, writing on the firm’s blog. The problem exists with web server configurations, and in particular what ciphers are being used to encrypt traffic.
"It’s relatively easy to determine if a website is vulnerable, and if so, it’s relatively easy to change the configuration to block any possible attacks," he added. "Any type of web server may be vulnerable if its configuration allows the use of so-called export ciphers."
3. US export restrictions on encryption are responsible
American officials have been worried for some time that other countries might lay their hands on strong encryption, and have made many attempts to disrupt the exporting of US cryptography. As such when SSL was being created in the early 90s the US government mandated that the encryption be downgraded to a key length of 512bits.
As Phil Lieberman, chief executive of Lieberman Software, described it, Freak "is simply a known negotiation mode of web browsers and web servers that allow the web servers to downgrade encryption until the client is capable of making a connection".
He added that for older browsers and embedded systems "the downgrade to the lowest encryption may still have value". Unfortunately Freak means that some clients running TLS (the sequel to SSL) will accept export grade keys even when the client does not as for them.
4. "Backdoors will always bite you in the ass"
Security backdoors have always been a contentious topic, whether they are being discussed by the FBI and Silicon Valley, or the US and China. Given the conflicting priorities of corporations and governments that much is not likely to change.
Yet as Matthew Green, a cryptographer at John Hopkins University points out, decisions made today can echo decades down the line. This is worrying precisely because UK and US security agencies have criticised the technology companies for encrypting their products properly.
"While officials carefully avoid the term "backdoor" — or any suggestion of weakening our encryption systems against real attackers — this is wishful thinking," Green wrote on his blog. "These systems are already so complex that even normal issues stress them to the breaking point."
