FREAK: SSL flaw is widespread
Earlier this month security researchers announced a set of vulnerabilities in OpenSSL, a widespread protocol used to encrypt online communication. The flaws enable what has been called the FREAK attack (factoring RSA export keys).
What is FREAK?
FREAK can allow an attacker to intercept HTTPS connections between vulnerable servers and clients and force them to use weak encryption. This encryption can be easily cracked, allowing a man-in-the-middle to collect passwords and other sensitive information.
Many of ITG’s clients have AccessEnforcer UTM Firewalls in place. Are they affected?
Five of the 13 disclosed vulnerabilities affect LibreSSL, the implementation of SSL/TLS used by AccessEnforcer. AccessEnforcer stopped using OpenSSL in version 18.104.22.168 (Jan. 2015).
Updates are underway to patch these vulnerabilities in all active AccessEnforcer units. A gradual roll-out will complete in the coming days. The updates will happen automatically – you do not have to act.
What else is affected by FREAK?
Any system that uses OpenSSL is potentially exposed. This includes thousands of popular websites, clients, and mobile apps. Many vendors (but not all) have patches available.
Vulnerable server stats:
- 26.3% of all HTTPS servers were initially vulnerable, according to research from the University of Michigan. They included servers from Facebook, the FBI, and many cloud service providers.
- 11.8% of all HTTPS servers remain vulnerable.
- 8.5% of the Alexa top 1 million domains remain vulnerable
Vulnerable web browsers include outdated versions of:
- Internet Explorer
- Android browser
- Blackberry browser
Test your browser and get more info: FreakAttack.com
What should I do?
Update all related systems and browsers as patches become available. AccessEnforcer will update automatically. Operate an SSL server? Get more info on disabling insecure ciphers.