- 1 Post By hackerman1
FREAK, yet another securityproblem with SSL
Attack of the week: FREAK (factoring the NSA for fun and profit)
This is the story of how a handful of cryptographers 'hacked' the NSA.
It's also a story of encryption backdoors, and why they never quite work out the way you want them to.
A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL,
(e.g., Android) clients, and Apple TLS/SSL clients, (e.g., Safari),
that allow a 'man in the middle attacker' to downgrade connections from 'strong' RSA to 'export-grade' RSA.
These attacks are real and exploitable against a shocking number of websites, including government websites.
A Few Thoughts on Cryptographic Engineering: Attack of the week: FREAK (or 'factoring the NSA for fun and profit')
SMACK: State Machine AttaCKs
Last edited by hackerman1; 5th March 2015 at 12:02.
This vulnerability can allow a Man-in-the-Middle attacker to force the downgrading of the cipher used in an SSL/TLS connection on a Windows client system. Microsoft Security Advisory 3046015 talks about it.
Windows O/S with Internet Explorer....
You can check here if your browser is safe: https://freakattack.com/clienttest.html
Pale Moon 25.2.0 is OK.
Last edited by hackerman1; 7th March 2015 at 11:52.
Here is how to secure Internet Explorer
Tools → Internet Options → Advanced
Scroll down to the bottom
Mark TLS 1.2, unmark all the other SSL & TLS.
Check your browser: https://freakattack.com/clienttest.html
There are some useful link here Freak Vulnerability: Are you exposed on Windows? like the list of cipher keys you can add or settings for Firefox too.