Slashdot Mirror

← Back to Stories (view on slashdot.org)

FREAK Attack Threatens SSL Clients

Posted by Soulskill on from the another-day-another-vuln dept.

msm1267 writes: For the nth time in the last couple of years, security experts are warning about a new Internet-scale vulnerability, this time in some popular SSL clients. The flaw allows an attacker to force clients to downgrade to weakened ciphers and break their supposedly encrypted communications through a man-in-the-middle attack. Researchers recently discovered that some SSL clients, including OpenSSL, will accept weak RSA keys–known as export-grade keys–without asking for those keys. Export-grade refers to 512-bit RSA keys, the key strength that was approved by the United States government for export overseas. This was an artifact from decades ago and it was thought that most servers and clients had long ago abandoned such weak ciphers. The vulnerability affects a variety of clients, most notably Apple's Safari browser.

3 of 89 comments (clear)

  1. Firefox OK, Chrome needs fixing by SIGBUS · · Score: 4, Informative

    I tried the test on up-to-date Firefox (36.0) and it's immune, but Chrome on Android (40.0.2214.109) is vulnerable.

    --
    Oh, no! You have walked into the slavering fangs of a lurking grue!
  2. Re:Is there any way to block the use of old cipher by chill · · Score: 3, Informative

    Answering myself to preserve the thread.

    It looks like the export cipher suite must be enabled for this to work. So if you didn't turn off old, busted ciphers then you're potentially vulnerable.

    Meh. Set your approved cipher suite and be done with it.

    --
    Learning HOW to think is more important than learning WHAT to think.
  3. Re:Is there any way to block the use of old cipher by Reemi · · Score: 3, Informative

    I extensively make use of this site for cypher selection:
    https://wiki.mozilla.org/Secur...

    There are 3 levels of configuration proposed which you can use as a starting base for your own selection. The EXPORT cyphers are explicitely marked as 'Mandatory discards'. Any serious website running with these cyphers should be fined for exposing their visitors.