SSL/TLS implementations accept export-grade RSA keys (FREAK attack)

ronjor · Mar 6, 2015

Original Release date: 06 Mar 2015 | Last revised: 06 Mar 2015

Overview

Some implementations of SSL/TLS accept export-grade (512-bit or smaller) RSA keys even when not specifically requesting export grade ciphers. An attacker able to act as a Man-in-The-Middle (MiTM) could factor weak temporary RSA keys, obtain session keys, and decrypt SSL/TLS trafflc. This issue has been dubbed the "FREAK" (Factoring Attack on RSA-EXPORT Keys) attack.
Click to expand...

http://www.kb.cert.org/vuls/id/243585

lotuseclat79 · Mar 8, 2015

Why Did It Take Microsoft So Long to Acknowledge a Huge Security Hole That It Found?

On Tuesday, a team of researchers announced the latest widespread security vulnerability. Called FREAK, an acronym that might actually be better than POODLE, it’s a flaw that affects how HTTPS secure connections are established between browsers and Web servers, downgrading the connection to a weaker, more crackable encyrption.

Alongside the announcement, both Google and Apple made statements Tuesday about forthcoming patches for their products, especially mobile browsers. The companies each told the Washington Post and Reuters that they had patches rolling out. Apple promised its patch for early next week. But when you think about software that might be affected by a mainstream vulnerability, there’s another company that should come to mind. Where was Microsoft in all this, and was Windows affected?
Click to expand...

-- Tom

anon · Mar 9, 2015

Is Your Browser Safe From FREAK?
http://www.techsupportalert.com/content/your-browser-safe-freak.htm

Meanwhile, you can check if your browser is vulnerable by going to https://freakattack.com which will give you an instant indication.
Click to expand...

Sampei Nihira · Mar 9, 2015

Opera 12.17 is safe:

anon · Mar 11, 2015

IE11 (v.11.0.17*) =

https://freakattack.com/

Tracking the FREAK Attack
Good News! Your browser appears to be safe from the FREAK attack.
Click to expand...

---------------------
* =
Microsoft Patches Old Stuxnet Bug, FREAK Vulnerability
https://threatpost.com/microsoft-patches-old-stuxnet-bug-freak-vulnerability/111565

Five of the bulletins are rated critical by Microsoft, and include another Internet Explorer rollup and a patch for the recently disclosed FREAK attack.
Click to expand...

Edit:

FREAK no more: Apple, Cisco swat the latest SSL bug

Summary:The FREAK clean-up continues with Cisco and Apple releasing fixes almost in unison with Microsoft and Google.
March 11, 2015
http://www.zdnet.com/article/freak-no-more-apple-cisco-swat-the-latest-ssl-bug/
Click to expand...

Dermot7 · Mar 18, 2015

Thousands of Android and Apple apps could lose sensitive financial and privacy data through exposure to the FREAK vulnerability, researchers say.

The FREAK (Factoring RSA Export Keys) attack allowed sensitive data to be stolen before encrypted connections are secured by requesting weak export-grade 512-bit RSA keys.

FireEye researchers Yulong Zhang, Hui Xue, Tao Wei, and Zhaofeng Chen crawled the app stores and found 1228 Android offerings vulnerable to FREAK.
Click to expand...

http://www.theregister.co.uk/2015/03/18/freaky_apps_litter_top_spots_in_apple_android_app_stores/

Log in or Sign up

SSL/TLS implementations accept export-grade RSA keys (FREAK attack)

ronjor Global Moderator

lotuseclat79 Registered Member

anon Registered Member

Sampei Nihira Registered Member

anon Registered Member

Dermot7 Registered Member

Log in or Sign up

SSL/TLS implementations accept export-grade RSA keys (FREAK attack)

ronjor Global Moderator

lotuseclat79 Registered Member

anon Registered Member

Sampei Nihira Registered Member

anon Registered Member

Dermot7 Registered Member

Useful Searches