Thanks to researchers who work day and night to disclose new cyber attacks and their remedies to ensure that we are protected. Recently, researchers disclosed a new SSL/TLS vulnerability called The FREAK Attack. This is the same protocol that is responsible for secure connection between the client and the servers.
You can understand the level of vulnerability by the fact that it enables people who are involved in hacking and attacking the system with the ability to intercept HTTPS connections. These are the same HTTPS connections that exist between vulnerable clients and the communicating servers. Vulnerable clients are forced to use ‘export-grade’ cryptography, which later on can be decrypted and altered easily causing great damage to the client.
A connection that exists between the client system and server is vulnerable only when the server accepts RSA_EXPORT cipher suites. Client sitting on the other side either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204.
Avoiding The FREAK Attack
The Freak attack was discovered by Karthikeyan Bhargavan at INRIA in Paris and the mitLS team. Further developments were handled by Matthew Green and the report is maintained by the computer scientists at the University of Michigan. There are many clients that are affected by this vulnerability like many Google and Apple devices, a large number of embedded systems and other software products that use TLS without disabling the vulnerable cryptographic suites.
So what is the solution for this?
The solution that can help you from getting trapped is that when you run a web server, just disable the support for any export suites. The best suggestion is that you should disable support for all known insecure ciphers and at the same time enable forward secrecy. If you want, you can still check your website’s vulnerability using the SSL Labs’ SSL Server Test.
You can also check if your web server is attackable with this free SSL vulnerability checker tool against the FREAK attack.
You can find Alexa HTTPS Sites that support RSA Export Suites in detail on FreakAttack.com along with the domain and Alexa rank. Test to see if your browser is safe!
UPDATE: Microsoft Advisory says all its operating systems vulnerable to FREAK.