Home Security Short News: OpenSSL…”FREAK” attack

Short News: OpenSSL…”FREAK” attack


And once again an OpenSSL vulnerability has been disclosed. It was disclosed by Karthikeyan Bhargavan and the mitLS team. As every vulnerability needs a fancy name these days, this one is called FREAK attack.

The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography, which can then be decrypted or altered. – freakattack.com

A connection is vulnerable when both conditions are met:

  • The server accepts ‘RSA_EXPORT’ ciphersuits
  • The client offers a ‘RSA_EXPORT’ ciphersuit OR is vulnerable to OpenSSL vulnerability CVE-2015-0204

Server administrators should disable any weak ciphersuits. Great tools to make your life easier are the Mozilla SSL Config Generator and Cipherli.st

Right now about 1/4th of the internets webservers are vulnerable. We’ll update this blog post as soon as there are any news.