Like Tree1Likes
  • 1 Post By hackerman1

Thread: FREAK, yet another SSL-securityproblem

  1. #1
    hackerman1 is offline Moderator
    Join Date
    Dec 2008
    Location
    Sweden
    Posts
    1,525

    Default FREAK, yet another securityproblem with SSL

    Attack of the week: FREAK (factoring the NSA for fun and profit)

    This is the story of how a handful of cryptographers 'hacked' the NSA.
    It's also a story of encryption backdoors, and why they never quite work out the way you want them to.

    A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL,
    (e.g., Android) clients, and Apple TLS/SSL clients, (e.g., Safari),
    that allow a 'man in the middle attacker' to downgrade connections from 'strong' RSA to 'export-grade' RSA.
    These attacks are real and exploitable against a shocking number of websites, including government websites.

    A Few Thoughts on Cryptographic Engineering: Attack of the week: FREAK (or 'factoring the NSA for fun and profit')

    SMACK: State Machine AttaCKs
    Last edited by hackerman1; 5th March 2015 at 12:02.

  2. #2
    HappyAndyK's Avatar
    HappyAndyK is offline Site Administrator
    Join Date
    Jun 2008
    Posts
    7,257

    Default

    This vulnerability can allow a Man-in-the-Middle attacker to force the downgrading of the cipher used in an SSL/TLS connection on a Windows client system. Microsoft Security Advisory 3046015 talks about it.

  3. #3
    hackerman1 is offline Moderator
    Join Date
    Dec 2008
    Location
    Sweden
    Posts
    1,525

    Default

    Windows O/S with Internet Explorer....

    You can check here if your browser is safe: https://freakattack.com/clienttest.html

    Pale Moon 25.2.0 is OK.
    Last edited by hackerman1; 7th March 2015 at 11:52.
    HappyAndyK likes this.

  4. #4
    hackerman1 is offline Moderator
    Join Date
    Dec 2008
    Location
    Sweden
    Posts
    1,525

    Default


    Here is how to secure Internet Explorer

    Tools → Internet Options → Advanced
    Scroll down to the bottom

    Mark TLS 1.2, unmark all the other SSL & TLS.

    Check your browser: https://freakattack.com/clienttest.html

  5. #5
    HappyAndyK's Avatar
    HappyAndyK is offline Site Administrator
    Join Date
    Jun 2008
    Posts
    7,257

    Default

    There are some useful link here Freak Vulnerability: Are you exposed on Windows? like the list of cipher keys you can add or settings for Firefox too.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Log in

Log in

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22