The U.S. government has a history of meddling with encryption. And thanks to a 1990s policy banning the export of strong encryption to other countries, millions of websites, including government websites like Whitehouse.gov and NSA.gov, were infected by a “major security flaw” for over ten years, the Washington Post reports.
The flaw, which has been dubbed “FREAK attack,” made Apple’s Safari and Google’s Android browsers vulnerable to attack when visiting what were thought to be secure websites. Even after the encryption rules changed in the 90s, the vulnerabilities already existed in software made around the world, and remained undetected, affecting sites like American Express:
As for whether this capability has ever actually been used, according to the report, we can’t be sure.
As of Tuesday, Whitehouse.gov and FBI.gov had been secured, but NSA.gov had not. Apple and Google are both working to permanently fix the problem.
This is bad news for the FBI, which has been urging tech companies to make their encryption easier for the government to crack for security purposes. “Encryption threatens to lead us all to a very, very dark place,” FBI Director James Comey said last year.
But, as experts have warned in the past, there’s no way to provide ease of access for the government without simultaneously increasing vulnerablility to malicious hackers.
“Unfortunately, there are no magic keys that can be used only by good guys for legitimate reasons,” Sen. Ron Wyden (D-Ore.) has said in response to Comey. “There is only strong security or weak security.”
