FREAK Flaw Removal Crawley
Security experts have discovered a potentially catastrophic flaw that for more than a decade has made it possible for attackers to decrypt HTTPS-protected traffic passing between Android or Apple devices and hundreds of thousands or millions of websites. Here’s everything users and system administrators need to know in order to stay safe now.
UPDATED. Great, just great. FREAK, the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) security hole, isn’t only in programs that use Apple’s SSL implementation or old OpenSSL. We now know that FREAK is present in Microsoft’s Secure Channel (SChannel) stack too.
FREAK enables SSL Man-in-the-Middle attacks because of bad security decisions made almost two decades ago. As Andrew Avanessian, Avecto’s EVP of consultancy and technology services, told me in an e-mail, “The FREAK attack is clear evidence of how far back the long tail of security stretches. As new technologies emerge, and cryptography hardens, many simply add on new solutions without removing out-dated and vulnerable technologies. This effectively undermines the security model you are trying to build.”
Video about Freak Flaw Attack
What users can do
If you’re playing the security game at home, here’s the current list of current-day programs that can be attacked by FREAK. Any program using Microsoft’s SSL/TLS, such as Internet Explorer (IE) on Windows Vista, 7, 8, and 8.1 and Windows Server 2003. While Microsoft doesn’t mention earlier, no longer broadly supported operating systems, such as Windows XP, it’s safe to presume they’re vulnerable as well.
Windows Server 2008 and 2012, if they’re used as desktops instead of servers, can also be attacked. As servers their default configurations are safe because they don’t support FREAK’s weak spot: obsolete export SSL ciphers. Server 2003, however, does support these weak SSL cryptographic keys and there’s no way to turn it off.
Read more here…
Read more about computer security here…
Source:Â Steven J. Vaughan-Nichols
Image source:Â [AndreasS]