FREAKy - SSL kind of broken in iOS, Android etc

Ars Technica:

The weak 512-bit keys are a vestige of the 1990s, when the Clinton administration required weak keys to be used in any software or hardware that was exported out of the US. To satisfy the requirement, many manufacturers designed products that offered commercial-grade keys when used in the US and export-grade keys when used elsewhere. Many engineers abandoned the regimen once the exports restrictions were dropped, but somehow the ciphers have managed to live on a select but significant number of end-user devices and servers.

If there is a backdoor, it will be found. Thanks, paranoid post-cold-war American government.

This is more of a worry, tho, especially if you have a non-Google Android phone (ie, Samsung, HTC et al)

An Apple spokesman said the company plans to issue patches for iOS and OS X next week. A Google spokeswoman said an Android patch has already been distributed to partners. In the meantime, Google is calling on all websites to disable support for export certificates.

iOS: next week. Android: um, when the partners and carriers feel like it. So.... never. Or ages away. But most likely never.

More technical background on it here.

Nic Wise

Nic Wise

Auckland, NZ