There's a new SSL vulnerability out called FREAK.
Here's what you need to know about it.
- It requires the flaw be present on both the client and server
- It's a cipher strength issue, i.e. it makes it easy to break keys in mere hours
- Successfully breaking those keys means gaining access to the data encrypted in the SSL session (MiTM)
- It requires the flaw be present on both the client and server and that you have access to the traffic
- The flaw is caused by legacy functionality rooted in encryption export laws
- Safari is vulnerable, as is Android's built-in browser
As with most vulnerabilities of this type, the faster you patch the smaller the window of attack. Our recommendations are to:
- Patch both the server side (your version of SSL in your webserver) and the client side (if you're using a vulnerable browser) as soon as safely possible
- Consider making a list of the sites that were vulnerable so that you know what data could (but not nessesarily) have been exposed
Fortify on Demand is also providing scanning services to its customers to help them with identification and cleanup of the FREAK vulnerability.
One thing we might hope to learn from this is that we should not reduce the security of a system on purpose…in order to improve security.
backdoor x time = regret
About Fortify on Demand
Fortify on Demand is a cloud-based application security solution. We perform multiple types of manual and automated security testing, including web assessments, mobile application assessments, thick client testing, ERP testing, etc.--and we do it both statically and dynamically, both in the cloud and on-premise.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.