New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
New SSL/TLS vulnerability: FREAK Attack
eddynetweb
Member
On Tuesday, March 3, 2015, researchers disclosed a new SSL/TLS vulnerability — the FREAK attack. The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography, which can then be decrypted. There are several posts that discuss the attack in detail: Matt Green, The Washington Post, and Ed Felten. A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204. Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.
They recommend disabling support for any export suites and enabling forward secrecy.
If you run a web server, you should disable support for any export suites. However, instead of simply excluding RSA export cipher suites, we encourage administrators to disable support for all known insecure ciphers (e.g., there are export cipher suites protocols other than RSA) and enable forward secrecy. Mozilla has published a guide and SSL Configuration Generator, which will generate known good configurations for common servers. You can check whether your site is vulnerable using the SSL Labs' SSL Server Test.
Yet another TLS vulnerability. What a cluster duck.
EDIT: This had been known for WAY longer then when it was disclosed, so "new" may be strong.
Comments
Wow
Interesting.
Most providers disabled SSLv3 capabilities in light of the Poodle vulnerability some months back, and thus shouldn't be too concerned.
I bet the NSA has known this a long time ago. Damn those bastards.
another one. I guess in someways it's a good thing that these are being released so that they can be fixed.
oooooh crap
SSLv3 will not show green lock on Chrome...
China gov. often MITM foreign mailboxes and MITMed GitHub... That's annoying.
So we're about how far away from companies hiring full time admins to sit around and hit refresh on sites that report SSL vulnerabilities? Long live plain text communication!
I am agree with your statement. :lol
Only works with clients and servers that support it. My servers do not support it.
so true :P