A major flaw in web encryption was disclosed earlier this week. Dubbed the FREAK flaw, the vulnerability has been around for more than a decade, affecting the security of your Android and Apple devices and their built-in browsers.
Here’s everything you need to know about the FREAK flaw…what it is, how it affects you, and how to protect yourself from it.
What is the FREAK flaw?
According to freakattack.com, “The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography, which can then be decrypted or altered.”
Plainly, there’s a flaw in the way your browser connects you to a site, and that flaw allows an attacker to intercept and alter communications between you and that site.
How does it affect your Dashlane account?
In short, it doesn’t.
- Your Dashlane account remains safe.
- Your Master Password is safe because it is never transmitted anywhere.
- If/when your personal data is transmitted, it is always ciphered locally with AES-256, so even if an attacker eavesdrop, he won’t be able to read your data.
Vulnerabilities and exploits are why we’ve made sure you’re the only person with the keys to your castle.
Are you at risk?
The FREAK flaw affects more browsers than initially thought. At the time of this post, it affects around 10% of Alexa’s top 1 million domains (down from 12%). If in the last 10 years you’ve accessed a vulnerable site using a vulnerable device and public WiFi, you could be susceptible to a man-in-the-middle attack.
According to freakattack.com, here are the vulnerable browsers:
- Internet Explorer
- Chrome on Mac OS and Android
- Safari on Mac OS and iOS
- Blackberry Browser
- Opera on Mac OS and Linux
You can also view a list of Alexa’s top 1 million domains that were affected here.
Unless you happen to be a public figure (or a government agency), then it’s unlikely that an attacker spent the time and energy to attack you, personally. However, just because your perceived risk feels small, your perception may be distorted. There are a lot of unknowns that come along with a disclosure like this, so you should still take action to protect yourself.
What should you do to protect yourself?
Though an attack seems unlikely, it’s not impossible. Thus, you should use precaution and take action to protect yourself. Here’s what you can do:
- Change the passwords of any accounts that you’ve accessed on your mobile device. You should change them now and again after more sites and devices have been patched. Also, if you’re reusing your passwords in lots of places, well…it’s time to clean those up.
- Remove any public WiFi connections from your devices. As nice of an option as being connected all the time is, you really shouldn’t use public WiFi to access important accounts. Even if it’s password protected, it doesn’t really matter if everyone knows the password.
- For now, use Firefox to browse on mobile and Mac. Apple and Google are working to push fixed versions of Safari and Chrome. However, on Android devices, you’re going to have to update your operating system to get the fix, which Android users notoriously don’t do. So, make fast friends with Firefox.
- When you’re prompted to update your operating system on your mobile device or Mac computer, do it. These next updates will include important security fixes. If it’s been a hot minute since you’ve processed any updates, know that by staying behind on your updates, you’re staying vulnerable. (…and need to use Firefox.)