The FREAK Flaw: Another Security threat

On Tuesday, March 3, 2015, researchers discovered another major security flaw in the world of Internet and that too in its backbone i.e. SSL/TLS security protocol. The vulnerability was named as FREAK attack. It can be used by an attacker to intercept HTTPS connections and steal sensitive information.

Who is affected with this?

Both server and client browsers are effected by this vulnerability. Servers those accept RSA_EXPORT cipher suites put their users at risk. A list of popular domains which are effected by this vulnerability are listed here.

Various popular browsers are vulnerable to the FREAK attack because of bugs that allow an attacker to force them to use weak, export-grade encryption. You can check if your browser is affected with FREAK flaw by visiting this link. If your browser is affected you will see a red warning message as

BTW, here is a list of most popular effected browsers:-

  1. Internet Explorer (Read more from Microsoft Advisory)
  2. Chrome on Mac OS (Patch available now)
  3. Chrome on Android
  4. Stock Android Browser
  5. Safari on Mac OS (Patch expected next week)
  6. Safari on iOS (Patch expected next week)
  7. Blackberry Browser
  8. Opera on Mac OS
  9. Opera on Linux

How Enpass is affected

Fortunately your AES- 256 bit encrypted data in Enpass is not affected at all as it is stored locally in your device and not on any of our cloud or servers. Even if you have enabled Sync in Enpass then also your data is secure because before it gets actually synced with your own cloud accounts, it is first encrypted locally and then transmitted. So there is nothing like anyone can  have access to your master password and unlock your database.
However as Enpass-browser is based on system’s own Webview, it is under effect of Freak Flaw and you should not use it (Not only Enpass browser; it could be your OS’s default browser too) for browsing until an update is available for it by the Operating System itself. Enpass built-in browser will be automatically updated when the platforms get a fix from OS. In the meantime, you can browse securely with Firefox mobile.

What should I do?

  • Update your OS and browsers: All OS & browser providers will be releasing updates as soon as possible and you must install all these updates immediately.
  • Use Firefox for browsing: Thanks to Firefox for its immunity against this infection and you can download it for free.
  • Change your vulnerable passwords: However it is unlikely that your account is hacked. But it is always good to prepare for these kind of attacks in advance. You should not use same passwords for multiple websites. Enpass can help you to create unique strong passwords using built-in password generator so if one of your account is hacked, the same password will not be usable on other websites.
We have glued our eyes for all related activities and will keep you updated for important announcements. Please stay connected with us on Twitter and Facebook.