Early in March, miTLSteam discovered the FREAK vulnerability (CVE-2015-0204), which affects the vast landscape of the internet. It allows an attacker to intercept HTTPS connections between vulnerable clients and servers, forcing them to use weakened encryption. This allows the attacker to steal login credentials and other sensitive data.
Who is vulnerable?
The FREAK attack is possible when a vulnerable browser connects to a susceptible web server – server that accepts downgraded security setting, specifically the “export-grade” option. Free FREAK test can be found here.
The FREAK flaw affects most major browsers:
- Internet Explorer – Patch available
- Chrome on Android and Mac OS – Patch available on Mac OS
- Safari on Mac OS and iOS – Patch available
- Stock Android Browser
- BlackBerry Browser
- Opera (Mac OS, Linux)
What should you do?
If you run a server:
You should immediately disable support for TLS export cipher suites and consider disabling other cipher suites that are known to be insecure and enable forward secrecy. We recommend Mozilla’s security configuration guide and their SSL configuration generator for instructions. Consider also Qualys SSL Server Test tool.
If you use a browser:
Make sure you have the most recent version of your browser installed, and check for updates frequently.
If you are a sysadmin or a developer:
Make sure any TLS libraries you use are up to date. You also need to ensure that your software does not offer export cipher suites, even as a last resort, since they can be exploited even if the TLS library is patched. The FREAK team have provided tools for software developers that may be helpful for testing.
Follow the FREAK vulnerability here.
If you are not sure how to secure your business properly, contact us for a free consultation.