As this is being written both Apple and Google are preparing patches for a recently disclosed vulnerability in their browsers. The vulnerability, known as the FREAK attack (or Factoring RSA Export Keys) takes advantage of older export grade encryption formerly mandated by the US government. Through 2000, the US required a weaker encryption on products exported outside the US. This cause engineers to use weaker cryptographic libraries on exportable products.
The mandate has no longer been required for quite some time. That has not stopped some browsers and other connection software from supporting a switch to the weaker ciphers, as is the case with Safari for Mac and iOS as well as Google’s Androis ASOP browsers.
The attack works by an attacker cracking the weaker SSL ciphers from the server and then mimicking the true server in a man in the middle style attack.
Many sites are disabling support for the older ciphers on their own servers, and the patches from Apple and Google should be available soon. It is important to ensure that these are installed as they are released.