it.ucsf.edu

Security Update:Are You Protected Against the FREAK Attack (and no, not the dance)?

Status Type

Security Update

Date and Time

Wednesday, March 4, 2015 - 15:00

Reason

Security Vulnerability

Impact

SSL & TLS Users

WHAT HAPPENED?

A major security flaw has been discovered in the Secure Sockets Layer/Transport Layer Security (SSL/TLS) cryptographic protocols named the FREAK (Factoring RSA Export Keys) which affects many website and leaves many Apple and Google device users’ exposed.

Advanced Users: For a complete description of the vulnerabilities and affected versions visit Tracking The Freak Attack at https://freakattack.com/.


AFFECTED SOFTWARE and DEVICES:

  • Open SSL
  • Apple’s Safari Web Browser
  • Google’s Android Phone’s Default Browser
  • Other Software and embedded systems that run TLS

 

WHAT'S THE PROBLEM?

The weaker encryption key can be easily cracked and used to wage man-in-the-middle attacks on the secured connections in order to sniff passwords or other sensitive information.


WHAT DO I NEED TO DO?

1. Web Site Administrators

    a. Check your site to determine if it is vulnerable:

1) On Linux and Unix (and possibly Mac OSX) you can run the following command: openssl s_client -connect hostname:443 -cipher EXPORT

  • Substitute hostname with the FQDN of the server you’d like to test
  • The correct response contains "handshake failure”. Any other response is a fail.

Note: A big thanks to Andrew Philipoff for providing this tip.


2) Run an automated SSL analyzer against the site; such as:


   b. If the site you administer is vulnerable:

1) Open SSL = Upgrade to version 1.02 which was released in January 2015 - https://www.openssl.org/source/.

2) Disable support for any export suites.

3) Instead of simply excluding RSA export cipher suites, disable support for all known insecure ciphers (e.g., there are export cipher suites protocols other than RSA) and enable forward secrecy.


2. General User
    a. Check your browser to determine if it is vulnerable -https://freakattack.com/clienttest.html

    b. If vulnerable, update your software

  • Apple and Google are preparing patches to be released in the near future.

   c. Before visiting a website where you will be revealing sensitive information, you can check the security of the website by analyzing it through https://sslanalyzer.comodoca.com/.

  • At the bottom of the report it will list if the site is vulnerable:

 




RELATED LINKS