FREAK Attack Threatens SSL Clients

msm1267 writes: For the nth time in the last couple of years, security experts are warning about a new Internet-scale vulnerability, this time in some popular SSL clients. The flaw allows an attacker to force clients to downgrade to weakened ciphers and break their supposedly encrypted communications through a man-in-the-middle attack. Researchers recently discovered that some SSL clients, including OpenSSL, will accept weak RSA keys–known as export-grade keys–without asking for those keys. Export-grade refers to 512-bit RSA keys, the key strength that was approved by the United States government for export overseas. This was an artifact from decades ago and it was thought that most servers and clients had long ago abandoned such weak ciphers. The vulnerability affects a variety of clients, most notably Apple's Safari browser.

And this, kids, is why you configure your servers

[Opportunist]

Because clients are run by idiots. Sorry, but it's true.

Clients are run by people who look at the funny acronyms and you can watch their eyes glaze over. If they know anything about it, they will know that there are keys and these keys depend on how big the number next to them is. That there are symmetric and asymmetric keys and that 512bit can be a LOT if it's symmetric and insignificantly little if it's asymmetric is already something you won't be able to teach them.

So configure your servers, people. Configure them to ONLY accept sensible ciphers. Yes, that means that people with Internet Explorer 5 might not be able to use your page. Then inform them to fucking get a browser that was made in this millennium! These people are a security risk and bluntly, if you want to do business with them, you do not want to do business with me.

Or at least I don't want to do business with you!