FREAK: Today, Web Users Feel The Impact Of '90s Regulators' Stupidity

U.S. system to deliberately weaken encryption worked a little too well

Encryption
Yuri Samoilov/Flickr, CC BY 2.0

The latest security vulnerability to make the rounds, aptly dubbed FREAK, shines a spotlight on why it's maybe not such a great idea to weaken the technology behind the security that we all rely on. Turns out that we're still paying for the mistakes of the 1990s--and I don't mean acid-washed jeans.

Back in the '90s, politicians decided that the U.S. shouldn't be sending products including strong encryption overseas, because they'd make it harder for us to spy on our enemies. Thanks to that export ban, many companies whose products include encryption--including web browsers like Netscape Navigator--actually had two versions: a U.S. edition with strong encryption, and an international one with considerably weaker security.

Fast forward twenty some years, and that export ban has long since bit the dust. But the less secure code was never excised from much of the underlying security software in use by browsers and websites, and security researchers have found that it's not hard to trick browsers into using the weaker encryption--making it easier to intercept and decipher supposedly secure web traffic. According to those researchers, 12.2 percent of the top 1 million sites on the web (as calculated by Amazon's Alexa service) are vulnerable to this attack, including American Express, Marriott, Bloomberg, and--whoops!--even the National Security Agency's public-facing website.

System administrators can disable the older encryption on their servers, and browser makers will likely issues patches soon. But lest we think we're too smart to repeat our past mistakes, a battle not dissimilar from that of the 1990s is being waged today, with law enforcement officials--including the director of the FBI--taking up stances that oppose the wide availability of strong encryption.

The problem with hamstringing encryption is that there's no "backdoor" so secure that it can't be found by those bent on taking advantage of the system, whether they be hackers who force their way in or legitimate users abusing their authority.