What is the freak flaw?
FREAK is an almost-acronym for “Factoring Attack on RSA-EXPORT Keys”, which describes a security vulnerability within the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, released into the wild during the 90s.
Over the weekend we learned that the vulnerability is also present in Microsoft’s Secure Channel (SChannel) stack.
The FREAK vulnerability allows “man-in-the-middle” attacks – essentially enabling an attacker to intercept “secure” HTTPS connections between clients and servers sporting the vulnerability, forcing them to use a weakened encryption – which the attacker can then decrypt and possibly manipulate/alter the data intercepted.
WHO IS VULNERABLE?
An easier question to answer would be “who isn’t”? We can confirm that the atmail cloud environment is not vulnerable.
However, many other web servers on the Internet are susceptible. The FREAK vulnerability can be exploited when a vulnerable browser connects to any web-server that accepts “export-grade” encryption. The “export-grade” class of encryption was introduced as stronger algorithms were banned, classified as weapons of war.
At the time of writing this, 26.3% of all HTTPS servers are vulnerable. 36.7% of HTTPS servers with browser-trusted certificates are vulnerable and 9.5% of HTTPS servers within the Alexa Top 1 Million domain names are vulnerable (down just under 3% over the course of the past week). This includes: American Express, Bloomberg, Groupon… Even the NSA & the White House.
FREAK is currently exploitable in:
- Internet Explorer (Windows)
- Safari (OS X and iOS)
- Google Chrome (OS X and Android)
- Opera (OS X and Linux)
- Blackberry Browser
Firefox is not affected and there is already a patch for Chrome on OS X.
WHAT CAN I DO TO PROTECT MYSELF?
Run a server? Disable support for TLS export cipher suites. This affects OpenSSL, Microsoft SChannel, Apple SecureTransport among others.
Use a browser? Keep it up-to-date and keep checking for updates, most browsers are not patched yet, but it is likely these will be available very soon.
1. Stop using Public WiFi. (This is a good rule to follow in general!)
2. Change your password for any site you’ve accessed using any of the vulnerable browsers listed above. Then change it again once the browsers have been patched.
3. Use Firefox for now on mobile devices and on Macs.
4. Keep your computer and browsers updated (also a good rule to follow in general).