On March 3rd, a new (very old) bug has been disclosed that impacts nearly a third of the internet and millions of users.
The bug has been named “The FREAK Attack” referrs to a flaw which is found in many implementations of Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL). SSL and TLS are cryptographic protocols designed to provide communications security over a computer network.
More detail from the researchers that discoverd the vulnerability:
The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography, which can then be decrypted or altered.
What should you do:
- First contact your administrative, technical staff, or web hosting provider to discuss this issue. The entire disclosure can be found at “Tracking the TLS Freak Attack”.
- The aforementioned website also will test your browser to see if it can be exploited by the FREAK attack. Apple users will see an update in a matter of weeks to patch iOS and OSX.
- If you run a web server, you should disable support for any export suites. However, instead of simply excluding RSA export cipher suites, we encourage administrators to disable support for all known insecure ciphers (e.g., there are export cipher suites protocols other than RSA) and enable forward secrecy. Mozilla has published a guide and SSL Configuration Generator, which will generate known good configurations for common servers. You can check whether your site is vulnerable using the SSL Labs’ SSL Server Test.
- If you still aren’t sure of what to do… contact us. We can walk you through the process and offer some simple ways to protect web sites that cannot be modified or updated in a rapid timeframe.