Security experts have discovered a potentially catastrophic flaw that for more than a decade has made it possible for attackers to decrypt HTTPS-protected traffic passing between Android or Apple devices and hundreds of thousands or millions of websites, including AmericanExpress.com, Bloomberg.com, NSA.gov, and FBI.gov.

In recent days, a scan of more than 14 million websites that support the secure sockets layer or transport layer security protocols found that more than 36 percent of them were vulnerable to the decryption attacks. The exploit takes about seven hours to carry out and costs as little as $100 per site. The so-called FREAK attack—short for Factoring attack on RSA-EXPORT Keys—is possible when an end user with a vulnerable device—currently known to include Android smartphones, iPhones, and Macs running Apple's OS X operating system—connects to a vulnerable HTTPS-protected website. Vulnerable sites are those configured to use a weak cipher that many had presumed had been retired long ago. At the time this post was being prepared, most Windows and Linux end-user devices were not believed to be affected.

Attackers who are in a position to monitor traffic passing between vulnerable end users and servers can inject malicious packets into the flow that will cause the two parties to use a weak 512-bit encryption key while negotiating encrypted Web sessions. Attackers can then collect some of the resulting exchange and use cloud-based computing from Amazon or other services to factor the website's underlying private key. From that point on, attackers on a coffee-shop hotspot or other unsecured network can masquerade as the official website, a coup that allows them to read or even modify data as it passes between the site and the end user.

FREAK is one of several SSL-related vulnerabilities disclosed Tuesday by a research team from organizations including INRIA Paris-Rocquencourt and Microsoft. The vulnerability is indexed as CVE-2015-0204. An Apple spokesman said the company plans to issue patches for iOS and OS X next week. A Google spokeswoman said an Android patch has already been distributed to partners. In the meantime, Google is calling on all websites to disable support for export certificates.

Remember crypto export controls?

The weak 512-bit keys are a vestige of the 1990s, when the Clinton administration required weak keys to be used in any software or hardware that was exported out of the US. To satisfy the requirement, many manufacturers designed products that offered commercial-grade keys when used in the US and export-grade keys when used elsewhere. Many engineers abandoned the regimen once the export restrictions were dropped, but somehow the ciphers have managed to live on a select but significant number of end-user devices and servers.

A list of vulnerable websites is here. Matthew Green, an encryption expert at Johns Hopkins University, told Ars the vulnerable devices included virtually all Android devices, as well as iPhones and Macs. Ars has also received reports from two people that Blackberry 10.3.1.2267 is also vulnerable. Oddly, as documented by two Ars readers, IE11 in the Windows Technical Preview also tests as vulnerable to the HTTPS-crippling attack.

"This bug causes them to accept RSA export-grade keys even when the client didn't ask for export-grade RSA," Green wrote in a blog post detailing the FREAK vulnerability. "The impact of this bug can be quite nasty: it admits a 'man in the middle' attack whereby an active attacker can force down the quality of a connection, provided that the client is vulnerable and the server supports export RSA."

Content distribution service Akamai published a blog post on Monday that said a fix rolled out to its secure network ensures that FREAK attacks won't work against the company's internal (midgress) traffic or against communications (or forward traffic) to any origin websites. But the post went on to warn that many of Akamai-enabled websites may still be targeted.

"There is still a potential exposure when clients connect to us," the post said. "We can't fix those clients, but we can avoid the problem by disabling export ciphers. Because this is a client side issue, we've reached out to our customers and are working with them to make this change. A very small number of our customers still rely on offering service to export-mode browsers that cannot reasonably be upgraded."

The potential for abuse is high, since many website operators are reluctant to change the keys underpinning their HTTPS protection. As Green explained:

You see, it turns out that generating fresh RSA keys is a bit costly. So modern web servers don't do it for every single connection. In fact, Apache mod_ssl by default will generate a single export-grade RSA key when the server starts up, and will simply re-use that key for the lifetime of that server. What this means is that you can obtain that RSA key once, factor it, and break every session you can get your 'man in the middle' mitts on until the server goes down. And that's the ballgame.

As word of the vulnerability spread, many website operators were scrambling to reconfigure their servers so they could no longer be downgraded to the easily broken export ciphers. No doubt, the number of affected websites will decrease in the coming hours and days, but, as this post was being prepared, affected sites included NSA.gov, Whitehouse.gov, and FBI.gov, including the page the FBI uses to accept confidential tips. Of the Internet destinations identified in the list of affected sites, 12.2 percent were in the Alexa top one million, 36.7 percent were categorized as browser trusted sites, and 26.3 percent fell in the full IPv4 address space.

FREAK had been publicly known for only a few hours at the time this post went live. In the coming hours and days, new information is likely to become available that may narrow the scope or possibly expand the severity of this bug. No doubt, one of the first resources that will be offered is a site end users can visit to find out if they're vulnerable. For now, people using Android or Apple devices should be especially cautious when visiting HTTPS-protected websites. A client-testing feature on the above-referenced FREAKAttack.com site shows that Firefox for both OS X and Android isn't vulnerable, so users of those platforms should use that browser until more information is known. Green said that Google is in the process of delivering a version of Chrome for Macs that is immune to the attack, so Mac users should look out for that, as well.

The research team behind FREAK included Karthikeyan Bhargavan, Antoine Delignat-Lavaud, and Jean-Karim Zinzindohoué of INRIA Paris-Rocquencourt; Cédric Fournet, Markulf Kohlweiss, and Santiago Zanella-Béguelin of Microsoft Research; Alfredo Pironti of Rome, Italy; and Pierre-Yves Strub, of IMDEA Software in Madrid, Spain. Stay tuned for updates to this post and additional coverage from Ars.