Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE

What You Need to Know About the FREAK SSL Vulnerability

Absent Member.. danielmiessler Absent Member..
Absent Member..
1 0 8,868

There's a new SSL vulnerability out called FREAK. 

Here's what you need to know about it.

  • It requires the flaw be present on both the client and server
  • It's a cipher strength issue, i.e. it makes it easy to break keys in mere hours
  • Successfully breaking those keys means gaining access to the data encrypted in the SSL session (MiTM)
  • It requires the flaw be present on both the client and server and that you have access to the traffic
  • The flaw is caused by legacy functionality rooted in encryption export laws
  • Safari is vulnerable, as is Android's built-in browser

The solution

As with most vulnerabilities of this type, the faster you patch the smaller the window of attack. Our recommendations are to:

  1. Patch both the server side (your version of SSL in your webserver) and the client side (if you're using a vulnerable browser) as soon as safely possible
  2. Consider making a list of the sites that were vulnerable so that you know what data could (but not nessesarily) have been exposed

Fortify on Demand is also providing scanning services to its customers to help them with identification and cleanup of the FREAK vulnerability. 

A lesson

One thing we might hope to learn from this is that we should not reduce the security of a system on purpose…in order to improve security.

backdoor x time = regret

Resources

 

About Fortify on Demand 
Fortify on Demand is a cloud-based application security solution. We perform multiple types of manual and automated security testing, including web assessments, mobile application assessments, thick client testing, ERP testing, etc.--and we do it both statically and dynamically, both in the cloud and on-premise.

Tags (4)
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.