Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

New SSL/TLS vulnerability: FREAK Attack
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

New SSL/TLS vulnerability: FREAK Attack

eddynetwebeddynetweb Member
edited March 2015 in General

https://freakattack.com/

On Tuesday, March 3, 2015, researchers disclosed a new SSL/TLS vulnerability — the FREAK attack. The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography, which can then be decrypted. There are several posts that discuss the attack in detail: Matt Green, The Washington Post, and Ed Felten.

A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204. Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.

They recommend disabling support for any export suites and enabling forward secrecy.

If you run a web server, you should disable support for any export suites. However, instead of simply excluding RSA export cipher suites, we encourage administrators to disable support for all known insecure ciphers (e.g., there are export cipher suites protocols other than RSA) and enable forward secrecy. Mozilla has published a guide and SSL Configuration Generator, which will generate known good configurations for common servers. You can check whether your site is vulnerable using the SSL Labs' SSL Server Test.

Yet another TLS vulnerability. What a cluster duck.

EDIT: This had been known for WAY longer then when it was disclosed, so "new" may be strong.

Thanked by 3niknar1900 geekalot Blanoz

Comments

  • xaitmixaitmi Member

    Wow

  • ElixantTechnologyElixantTechnology Member

    Interesting.

  • ElixantTechnologyElixantTechnology Member

    Most providers disabled SSLv3 capabilities in light of the Poodle vulnerability some months back, and thus shouldn't be too concerned.

  • ChuckChuck Member

    I bet the NSA has known this a long time ago. Damn those bastards.

    Thanked by 1obh_ridwan
  • srpurdysrpurdy Member

    another one. I guess in someways it's a good thing that these are being released so that they can be fixed. :)

  • bashedbashed Member

    oooooh crap

  • XIAOSpider97XIAOSpider97 Member

    SSLv3 will not show green lock on Chrome...
    China gov. often MITM foreign mailboxes and MITMed GitHub... That's annoying.

  • jarjar Patron Provider, Top Host, Veteran
    edited March 2015

    So we're about how far away from companies hiring full time admins to sit around and hit refresh on sites that report SSL vulnerabilities? Long live plain text communication!

  • obh_ridwanobh_ridwan Member

    @Chuck said:
    I bet the NSA has known this a long time ago. Damn those bastards.

    I am agree with your statement. :lol

  • 4n0nx4n0nx Member

    Only works with clients and servers that support it. My servers do not support it.

  • JonchunJonchun Member

    @Jar said:
    So we're about how far away from companies hiring full time admins to sit around and hit refresh on sites that report SSL vulnerabilities? Long live plain text communication!

    so true :P

    Thanked by 1jar
  • eddynetwebeddynetweb Member

    @Jar said:
    So we're about how far away from companies hiring full time admins to sit around and hit refresh on sites that report SSL vulnerabilities? Long live plain text communication!

    Thanked by 7jar ATHK Pwner Shade 0xdragon geekalot Razza
Sign In or Register to comment.