Windows users are also vulnerable to FREAK snooping attacks

The “FREAK” vulnerability that downgrades and weakens secure web connections doesn’t just affect Google and Apple users — according to a security advisory from Microsoft, all supported versions of Windows are vulnerable too.

FREAK (Factoring attack on RSA-EXPORT Keys) is a recently discovered hangover from the early 90s, when the U.S. government banned the export of most software that used strong encryption. The SSL web security protocol was for that reason built with a special mode that uses key lengths considered weak today. The law was changed but the weak cipher suites remain, and although most modern browsers are supposed to avoid them like the plague, a widespread bug means they don’t always do that.

The FREAK flaw allows “man-in-the-middle” snoopers to downgrade a session’s security to that mode – as long as the browser is vulnerable and the server accepts those weak old cipher suites — then crack the keys and spy away.

When the flaw was publicized earlier this week, it was Apple’s Safari browser and the stock Android browser that were on the firing line for being vulnerable, endangering those users who communicate with servers that accept “export-grade” encryption – apparently a whopping third of servers with browser-trusted certificates. But it turns out the list of affected browsers and systems is way longer than that.

The big one is Windows. In pretty much every version of Windows that’s out there, Internet Explorer and whatever else uses the Schannel security package are vulnerable to the FREAK attack.

In its advisory, Microsoft said:

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Per the researchers who brought this all to our attention, here’s the current list of browsers that need patching:

  • Internet Explorer
  • Chrome on OS X (patch available)
  • Chrome on Android
  • Safari on OS X (patch expected next week)
  • Safari on iOS (patch expected next week)
  • Stock Android browser
  • BlackBerry browser
  • Opera on OS X
  • Opera on Linux

As a Firefox user, I’m feeling slightly smug this week — the researchers’ FREAK test tool just gave my browser a clean bill of health, and told me my never-used IE installation is vulnerable. Not too smug though, given the impact on other Windows software.

Good thing the anti-strong-encryption nonsense that caused this mess is a relic of past decades, eh? Oh wait…

New Firefox gets social, brings beta Marketplace to desktop

Mozilla has released Firefox 35, which brings with it the enhancements to the Firefox Hello video-calling feature that I wrote about when they were in beta.

Firefox 35 also introduces a social sharing feature, making it easy to post a link to a webpage to a service such as [company]Facebook[/company] or [company]Twitter[/company], or to email it to a contact. This is similar to what Opera has been doing recently, and it’s interesting to see how the big Chrome rivals (let’s leave Internet Explorer out of it for now) are adding more features in a way that doesn’t necessarily make them look bloated in comparison to [company]Google[/company]’s streamlined browser.

Here’s how the right side of my Firefox toolbar looks now – there’s a good deal of functionality in there (the 1Password icon is the only third-party one) but it’s still tasteful and unobtrusive, at least to my eyes:

Firefox toolbar

To quickly recap the new Firefox Hello features, it’s now easier to set up an ad-hoc, anonymous call and to create a URL for such a call that can be repeatedly revisited by the participants – making it a bit like a virtual meeting room.

In a Tuesday blog post, Mozilla also said that it and its telco partner, Telefonica, aim to add new features to the WebRTC-based Firefox Hello such as screen-sharing and online collaboration – all from within the browser.

A more general blog post about Firefox 35 also noted that the Firefox Marketplace is now available for beta testing on the desktop. Firefox already has an add-on search facility, of course, but this is more like the Chrome Web Store, featuring a range of web apps.

The Firefox Marketplace is already available on mobile, and indeed it is effectively the app store for those with Firefox OS phones – the apps are all HTML5. So, by bringing it to the desktop, Mozilla is bringing its mobile and desktop efforts closer together.

This Japan-bound Firefox phone is transparently gorgeous

Most phones running Mozilla’s mobile Firefox OS to this point have been drab and cheap affairs. But take a look at the latest Firefox phone headed to Japan: Called Fx0, it’s the highest-performance Firefox phone we’ve seen so far, wrapped in an unusual and gorgeous transparent body.

fx0-1

Although Mozilla and KDDI, its Japanese carrier partner, are calling the Fx0 a “high-spec” device, that’s only in comparison to other Firefox phones that cost under $50. With a Qualcomm Snapdragon 400, 1.5GB of RAM, and a 4.7-inch, 720 x 1280 screen packed into its translucent shell, it’ll leave Firefox phones like the Cloud FX in the dust, but won’t stand up to the best that Android or iOS offers. The Fx0 will support NFC and LTE; the first Firefox phone to do so.

The Fx0 isn’t just pretty for its own sake. Designed by Tokujin Yoshioka — who has work in the collections of the Museum of Modern Art in New York and Pompidou Centre in Paris — and manufactured by LG, the transparent shell is supposed to reflect “the openness, freedom and transparency that are core to the Mozilla mission.” For most people, they will simply think this phone looks cool. After all, there aren’t a lot of transparent phones readily available.

In Japan, the Fx0 will cost 50,000 yen, or about $416 dollars when it goes on sale on January 6th. (A limited sale starts on December 25th.)

That easily makes it the most expensive Firefox phone and puts it in a price category where it will have to compete with awfully compelling Android devices which are often less expensive. But KDDI seems to be planning to give the Firefox ecosystem as much of a boost as it can, with a dedicated website meant to encourage developers. One thing that would certainly give Firefox OS a little bit of a momentum is if this translucent gem became available in the United States.

fx0-firefox-phone-01

fx0-firefox-phone-02

Firefox’s built-in Skype rival begins to evolve

Firefox Hello, the WebRTC-based video-calling feature that Mozilla and partner Telefónica revealed as a beta feature in October, hit the mainstream — sort of — with the full release of Firefox 34 earlier this week.

It’s still very much under development though, being currently tucked away under the “customize” section in the browser’s settings menu. And, as of Thursday, those who download the beta of Firefox 35 can test out a few improvements.

The big changes are in the account-less call mode, which is moving towards a [company]Google[/company] Hangouts-style room model. When you initiate a call – something that’s done by sending a link to the person you want to talk to – Firefox Hello will now show you your own camera feed before your partner joins the call. The call begins as soon as the person you’ve called joins the conversation, whereas before they would have had to initiate a callback which you would have had to answer.

Users will also now be able to create and name multiple conversations for people they regularly want to talk to, again without needing to create an account or sign in. Not only is this URL-based approach anonymous (theoretically at least), but it also makes it easy to set up chats with users of other WebRTC-toting browsers, such as Chrome and Opera.

Those who do set up Firefox Hello accounts can of course make more traditional direct calls, which don’t involve passing on URLs as a setup mechanism.

Mozilla and Telefónica are very much looking for feedback on all this, so if you try it out, be sure to give them your opinion on the changes they’re making.

How Europe could cut Google down to size without splitting it up

Google’s EU search antitrust case is a complex beast that is being overloaded by vested interests. Competition commission Margrethe Vestager would be best advised to keep her solutions simple, and here are some suggestions for what those solutions might entail.