20150303 - Freak attack

On Tuesday, March 3, 2015, researchers announced a new SSL/TLS vulnerability called the FREAK attack. It allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data. This site is dedicated to tracking the impact of the attack and helping users test whether they’re vulnerable.* <br /><br />*Extract from the site freakattack.com

There are 2 families of risk:

Regarding the server

• do not use weak cipher (export)
  «Servers that accept RSA_EXPORT cipher suites put their users at risk»
• ciphers recommanded by TBS INTERNET on Apache and unix products are safe
• regarding the other servers, such as Microsoft, it is difficult and even impossible to change that
  see: https://technet.microsoft.com/en-us/library/security/3046015

Regarding the client

• For IE see https://technet.microsoft.com/en-us/library/security/3046015
• There is no patch for Safari yet
• For Unix clients using OpenSSL: you need to ugrade OpenSSL. OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k are vulnerable.

External links

• freakattack.com