The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography(weak export cipher suites), which can then be decrypted.
It is recommended to update to the latest software patches. OpenSSL (CVE-2015-0204): versions before 1.0.1k are vulnerable.
For non-OpenSSL, disable support for any export cipher suites and known insecure ciphers on your web server.
Solutions:
- Use latest version of Chrome/IE/Mozilla instead of the Android Browser and Safari.
- Check if your site is vulnerable. SSL Labs - https://www.ssllabs.com/ssltest/
References:
- FREAK Attack - https://freakattack.com/
- Graham Cluley - https://grahamcluley.com/2015/03/freak-attack-what-is-it-heres-what-you-need-to-know/
- Recommended Configuration - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
No comments:
Post a Comment