Incident Response, TDR

NEWS ALERT: New SSL/TLS vulnerability identified, dubbed ‘FREAK’

A new SSL/TLS vulnerability – dubbed 'FREAK' – enables attackers to intercept HTTPS connections between vulnerable clients and servers and forces the use of “export-grade” cryptography that can more easily be decrypted, according to a Tuesday post.

“A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204,” according to the post.

“Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.”

Researchers – who provided a list of top vulnerable websites – encourage web server operators to disable support for export suites, including all known insecure ciphers, and to enable forward secrecy.

Stay tuned to SCMagazine.com for continued coverage of this vulnerability.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds