Firefox and Opera are the first Android web-browsers to fix the FREAK vulnerability
About two weeks later the announcement of FREAK, the latest SSL/TSL vulnerability that allows an active Man In The Middle attacker to break an HTTPS connections to steal sensitive data, it looks like almost nobody, among the web-browser developers for Android, is taking care about the problem.
What is the FREAK attack?
It's an attack to HTTPS connections, based on a bug on OpenSSL and other TLS libraries, that allow an attacker to force browser to use an old and weak encryption (also known as the export-grade key).
It was discovered by Karthikeyan Bhargavanat at INRIA and the miTLS team.
In order to successfully conduct a FREAK attack, the attacker must be in the middle between a client and a server and both of them must be vulnerable. This mitigates a little bit the risk, anyway millions of Android devices are vulnerable and a relevant percentage of web-servers too. It would have therefore been good if all web-browser developers and all web-masters had done all in their power to fix this issue.
Some similarity with POODLE attack?
Yes, of course! The Man In The Middle and the forced use of a weaker protocol to communicate are details that bring our thought to the POODLE. The older vulnerability due to the SSLv3 protocol that concerned an huge amount of Android devices too.
What is the solution?
The only think you can do to protect your Android device during encrypted web navigation, is to use a web-browser that released a patch for FREAK vulnerability.
How can I check if my web-browser or my web-server are safe?
You can check your web-browser for FREAK vulnerability by visiting the following link and for POODLE vulnerability by this one.
If you are a web-master you can use this online tool by Symantec to check your web-server for FREAK attack, POODLE attack and more.
So, which Android web-browsers are safe against the FREAK attack?
Today we tested the latest available version of some of the most commonly used Android web-browsers to evaluate their vulnerability to FREAK attack and, while we were about it, we also checked if they disabled the use of the old SSLv3 protocol and are then safe against a POODLE attack.
We did the tests on a Galaxy Nexus with Android 4.3.0 and here following there is the result.
All our appreciation goes to Mozilla's Team for their good job. They diligently work to one of the best available Android web-browser, never forgetting to take care about security matters. The same appreciation goes to Opera's Team even if we would like to see as soon as possible also the opera mini version fixed.
We strongly suggest to all user to use Firefox or Opera hoping that the other web-browser brands will follow as soon as possible the good example of Firefox.