The security features of HTTPS, or "hyper text transfer protocol with secure sockets layer," can be defeated thanks to a long-known bug that was previously thought not to affect computers running Windows.
A Microsoft security advisory confirmed the use of the FREAK technique to allow an attacker to "force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system."
It was previously thought that only Android, iOS, OS X, and Blackberries were affected by the bug, according to Ars Technica.
In laymen's terms, this is bad news. Common uses for HTTPS include banking, social media, and basically anything that features the transfer of sensitive information. Now that this exploit is known to affect Windows users, that means that roughly 90% of computers in use are susceptible to the man-in-the-middle attack.
On its tech advisory, Microsoft offers some workarounds to protect users from the exploit, but it's quick to point out that a workaround will not correct the issue, but instead would "help block known attack vectors before a security update is available." To protect yourself from this vulnerability, it's advised that you follow Microsoft's instructions.
The company also pledged to take "the appropriate action to help protect customers," which it says could include a security update either through its monthly release process, or through an out-of-cycle security update, "depending on customer needs."
Some Lenovo laptops from last year shipped with adware that could be also used to break HTTPS encryption. Android and Apple devices are working toward closing the security hole, but the process still isn't 100%, according to the Ars report.
