As FTC adds encryption to its website, government remains unsure on corporate use

The Federal Trade Commission’s website just got a whole lot safer for people to peruse after the government agency said Friday that it now supports HTTPS encryption. While it used to provide secure transport for the parts of the website that dealt with sensitive information like complaint data and email subscriptions, this is the first time that secure browsing covers the entire site, the FTC said.

When a website is secured through the HTTPS communication protocol, all data passed between the site and the person who is accessing it will be encrypted through the use of either the SSL or TLS encryption protocols. Basically, the person’s browser initiates communication with the locked-down website and through the exchanging of encryption keys, all information should be scrambled from prying eyes.

In theory, this process works fine, but as the latest FREAK bug demonstrates, there can be some holes in the system, especially if the browsers or devices in questions use ineffective security protocols to speak to websites. In the case of FREAK, Android browsers using the OpenSSL protocol, Safari browsers using the Apple TLS/SSL protocol and now all supported versions of Windows that use the Schannel security package (sorry IE users) are vulnerable to hackers who can essentially weaken the encryption that takes place.

Still, many sites use HTTPS as it is one of the most common tools to prevent eavesdroppers from snooping into website sessions. In the case of the FTC, it may seem like a no-brainer to add encryption, but the U.S. government hasn’t always showed support with encryption technology, especially when it comes to tech companies and mobile-device makers who use the tech to mask data.

Both the U.S. and U.K. governments have made it clear they feel that companies using encrypted communications can impede government investigations and even the Chinese government has jumped on the bandwagon with a proposed law that would require tech companies to hand over their encryption keys.

Ironically, a leaked U.S. report on cyber threats explained that encryption technology is the “[b]est defense to protect data,” which shows that the U.S. government hasn’t quite made up its mind on where it sees encryption technology. If it protects consumers from spying eyes as in the case of the FTC website, then that’s great, but if the government perceives that the technology may prevent it from doing its job, it’s a no-go.

Either way, the corporate sector shows no signs of slowing down when it comes to developing new businesses around encryptions, with recent funding rounds for encryption-centric startups like CipherCloud and Ionic Security.

The U.S. government, as well, still has a long way to go. Many .gov domains like whitehouse.gov, the U.S. Department of Education, the U.S. Department of the Treasure and NASA’s website remain unencrypted. So expect this tug-of-war between the need to protect and the government’s need to scan encrypted company data in the case of investigations to continue.

Decade-old FREAK bug leaves Google and Apple device users vulnerable

A team of security researchers unearthed a decade-old vulnerability called the FREAK (Factoring attack on RSA-EXPORT Keys) attack, which impacts Google and Apple device users who may have visited websites, including Whitehouse.gov and NSA.gov, according to a Washington Post report. One of the researchers who spotted the vulnerability told the Post that “Of the 14 million Web sites worldwide that offer encryption, more than 5 million remained vulnerable as of Tuesday morning.”

According to Matthew Green, a cryptographer and research professor at Johns Hopkins University who has been looking into the flaw, the security researchers found serious vulnerabilities in the security protocols used by the Safari browser and the browser found in Android devices. These protocols are used to encrypt data through secure network connections between websites and browsers.

Even though the Android browser in question uses the OpenSSL protocol and Safari uses the Apple TLS/SSL protocols, both protocols are similarly affected and a hacker taking advantage of the bug can “downgrade connections from ‘strong’ RSA to ‘export-grade’ RSA,” Green wrote. This basically means that a hacker can infiltrate the connection between the browsers and websites and weaken the encryption that occurs. When this happens, a hacker can supposedly decrypt the data and obtain the information that was supposed to be secure.

While the bug clearly affects a lot of users, Forbes is reporting that actually pulling off the hack requires a lot of work, and it’s more likely that hackers would attempt another kind of attack.

From Forbes:
[blockquote person=”Forbes” attribution=”Forbes”]This all sounds scary, but in reality, there are easier attack methods for snoops or criminals to spy on your online lives. For starters, a FREAKy hacker will have to find a target using a vulnerable PC, phone or tablet, and hope they use the affected sites. They’ll also have to be on the same network, though the NSA, GCHQ and myriad other intelligence agencies have access to much of the world’s internet, so would easily be able to carry out such an attack, as long as the other criteria were met.[/blockquote]

What’s interesting is that the reason why there is weaker encryption in the first place has to do with U.S. government policy “that once forbid the export of strong encryption” and instead called for products shipped to other countries to come equipped with weak encryption, the Post reported. Although the policy is supposedly no longer in effect, the damage has been done and “weaker encryption got baked into widely used software that proliferated around the world and back into the United States.”

While Google’s Chrome browser is not affected by the vulnerability, the browser found in the majority of Android devices are, and an Apple spokeswoman told the Post that the company will be issuing a security patch that should fix both Apple computers and mobile devices.

Encryption has been a hot topic as of late as China just unveiled a new counterterrorism law that would require tech companies to hand over their encryption keys if the Chinese government calls for it. Both the U.S. and the U.K. have also let it be known that encryption hampers a government’s ability to perform investigations and if companies use the tech, they should be prepared to turn over the encryption keys.