One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man.

- Elbert Hubbard

Security Alert: FREAK

FREAK: SSL flaw is widespread

Earlier this month security researchers announced a set of vulnerabilities in OpenSSL, a widespread protocol used to encrypt online communication. The flaws enable what has been called the FREAK attack (factoring RSA export keys).

What is FREAK? 

FREAK can allow an attacker to intercept HTTPS connections between vulnerable servers and clients and force them to use weak encryption. This encryption can be easily cracked, allowing a man-in-the-middle to collect passwords and other sensitive information.

Many of ITG’s clients have AccessEnforcer UTM Firewalls in place. Are they affected?

Five of the 13 disclosed vulnerabilities affect LibreSSL, the implementation of SSL/TLS used by AccessEnforcer. AccessEnforcer stopped using OpenSSL in version 3.1.16.156 (Jan. 2015).

Updates are underway to patch these vulnerabilities in all active AccessEnforcer units. A gradual roll-out will complete in the coming days. The updates will happen automatically – you do not have to act.

What else is affected by FREAK?

Any system that uses OpenSSL is potentially exposed. This includes thousands of popular websites, clients, and mobile apps. Many vendors (but not all) have patches available.

Vulnerable server stats:

  • 26.3% of all HTTPS servers were initially vulnerable, according to research from the University of Michigan. They included servers from Facebook, the FBI, and many cloud service providers.
  • 11.8% of all HTTPS servers remain vulnerable.
  • 8.5% of the Alexa top 1 million domains remain vulnerable

Vulnerable web browsers include outdated versions of:

  • Internet Explorer
  • Chrome
  • Safari
  • Android browser
  • Blackberry browser
  • Opera

Test your browser and get more info: FreakAttack.com

What should I do? 

Update all related systems and browsers as patches become available. AccessEnforcer will update automatically. Operate an SSL server? Get more info on disabling insecure ciphers.

Share Button

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>