Pando

FREAK shows why the gov't's attempts to weaken information security are horribly misguided

By Nathaniel Mott , written on March 4, 2015

From The News Desk

Here's another reason tech companies shouldn't comply with government requests to weaken their security measures or include backdoors in their products: they can come around to haunt hundreds of millions of consumers more than a decade later.

Researchers have found a problem with the encryption standard used in several browsers pre-loaded on Android devices and Apple's Safari browser. It's called FREAK -- "Factoring attack on RSA-EXPORT Keys" -- and its rediscovery means much of the Web is insecure.

This vulnerability can be exploited to intercept data as it's sent between consumers and websites via ostensibly secure connections. It can also be used to attack websites, says the Washington Post, by "taking over elements on a page, such as a Facebook 'Like' button."

The funny thing is that FREAK wouldn't be a problem if it weren't for the United States government's laws restricting the export of strong cryptographic tools. Those restrictions were lifted in the '90s, but tech companies had already built backdoors into their products, and none of them ever bothered to remove the weakened encryption in the intervening years.

It's fitting that FREAK has been rediscovered as governments around the world, from the United Kingdom and France to China and the US, have sought access to tech products. They want backdoors; they want encryption keys; they want to undermine basic security.

But there just isn't a way for tech companies to give these governments what they want without also opening consumers up to attacks. As security researchers told the Post:

Matthew D. Green, a Johns Hopkins cryptographer who helped investigate the encryption flaw, said any requirement to weaken security adds complexity that hackers can exploit. 'You’re going to add gasoline onto a fire,' said Green. 'When we say this is going to make things weaker, we’re saying this for a reason.'

Christopher Soghoian, principal technologist for the ACLU, said 'You cannot have a secure and an insecure mode at the same time… What we’ve seen is that those flaws will ultimately impact all users.' FREAK proves that these researchers, and everyone else who has criticized attempts to weaken information security, are right. Misguided laws or restrictions don't just affect people today-- they create problems which come back to haunt users more than a decade later.

[illustration by Brad Jonas]