And once again an OpenSSL vulnerability has been disclosed. It was disclosed by Karthikeyan Bhargavan and the mitLS team. As every vulnerability needs a fancy name these days, this one is called FREAK attack.
The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography, which can then be decrypted or altered. – freakattack.com
A connection is vulnerable when both conditions are met:
- The server accepts ‘RSA_EXPORT’ ciphersuits
- The client offers a ‘RSA_EXPORT’ ciphersuit OR is vulnerable to OpenSSL vulnerability CVE-2015-0204
Right now about 1/4th of the internets webservers are vulnerable. We’ll update this blog post as soon as there are any news.