dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2314
85160670 (banned)
"If U know neither the enemy nor yoursel
join:2013-09-17
Edmonton, AB

1 recommendation

85160670 (banned)

Member

What the FREAK? Huge SSL security flaw stems from US government backdoor ¿

Fact or Fiction ¿ ¿ .....'Seven hours is all it takes to crack the encryption that is in place on some supposedly secure websites. Security experts blame the US government's ban on the use of strong encryption back in the 1990s for a vulnerability that has just come to light. Named FREAK (Factoring attack on RSA-EXPORT Keys), the flaw exists on high-profile websites including, ironically, NSA.gov.

Restrictions that limited security to just 512-bit encryptions were lifted in the late 90s, but not before it was baked into software that is still in use today. The ban on the shipping of software with stronger encryption apparently backfired as it found its way back into the States. Security experts say the problem is serious, and the vulnerability is relatively easy to exploit."...[ »betanews.com/2015/03/03/ ··· ackdoor/ ]

nwrickert
Mod
join:2004-09-04
Geneva, IL

1 recommendation

nwrickert

Mod

It seems to be fact, according to a blog post by Matthew Green who is usually reliable on such issues.

Attack of the week: FREAK (or 'factoring the NSA for fun and profit').
Shady Bimmer
Premium Member
join:2001-12-03

1 recommendation

Shady Bimmer

Premium Member

That article has a pretty good description.

This is around breaking weak encryption SSL. The article referenced above has a good summary of why this shouldn't be a concern along with why in reality it appears to be.

Sites in the US (at least) should be using strong keys (only), but the exploit demonstrates the ability to force the use of weak keys. There are a combination of factors that make this possible, largely based on (a) client-side bugs and (b) poor configuration of web servers that still have weak keys available.

chachazz
Premium Member
join:2003-12-14

1 recommendation

chachazz to 85160670

Premium Member

to 85160670
From - »www.smacktls.com/

FREAKAttack.com has statistics about potentially vulnerable websites.

Washington Post story on FREAK.

Forbes story on FREAK.

• Rich Salz's blog post on export RSA on Akamai

Chubbzie
join:2014-02-11
Greenville, NC

1 edit

1 recommendation

Chubbzie to 85160670

Member

to 85160670
Another vulnerability checker:

SSL FREAK Check CVE-2015-0204

Link Logger
MVM
join:2001-03-29
Calgary, AB

1 recommendation

Link Logger to 85160670

MVM

to 85160670
OpenSSL takes another smack.

Blake

Ian1
Premium Member
join:2002-06-18
ON

Ian1 to 85160670

Premium Member

to 85160670
Near as I can tell, it's already been fixed in Ubuntu 14.04 LTS, but can't tell for sure.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to 85160670

Premium Member

to 85160670
Nasty business - >
»www.techmeme.com/150303/ ··· 50303p33
»www.techmeme.com/150303/ ··· 50303p22

Anonymous_
Anonymous
Premium Member
join:2004-06-21
127.0.0.1

Anonymous_ to 85160670

Premium Member

to 85160670
is that why my old opera browser is not working?

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert to Ian1

Mod

to Ian1
said by Ian1:

Near as I can tell, it's already been fixed in Ubuntu 14.04 LTS, but can't tell for sure.

Probably.

I just checked, and it is already fixed in opensuse 13.2 (and probably 13.1). The chances are that the fix is in most linux distros that do regular updates.

The big risk is that people who run servers often fail to keep their software up to date.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to 85160670

Premium Member

to 85160670
No changes as of this morning.

planet
join:2001-11-05
Oz

planet

Member

Until patched, be sure to use your own wifi network when accessing sensitive data. No public wifi and cell networks could be vulnerable as well. MITM attack on the same network.
85160670 (banned)
"If U know neither the enemy nor yoursel
join:2013-09-17
Edmonton, AB

2 recommendations

85160670 (banned) to siljaline

Member

to siljaline
Apple plans fix next week for newly uncovered Freak security bug affecting Safari...[ »www.straitstimes.com/dig ··· -securit ] ! THX ..... Randy

kevinds
Premium Member
join:2003-05-01
Calgary, AB

kevinds to planet

Premium Member

to planet
said by planet:

MITM attack on the same network.

MITM attacks I find are semi-common on cellular networks, my phone lacks the carrier's CA, so often all websites fail to connect HTTPS, because I haven't accepted *insert carrier's CA* on my device

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

1 recommendation

siljaline to 85160670

Premium Member

to 85160670
Everyone is waiting for Apple to rollout the much awaited fix.

siljaline

siljaline to 85160670

Premium Member

to 85160670
In the meanwhile -

Time to FREAK out? How to tell if you're vulnerable
»www.computerworld.com/ar ··· ble.html

»twitter.com/gkeizer/stat ··· 73735425
85160670 (banned)
"If U know neither the enemy nor yoursel
join:2013-09-17
Edmonton, AB

85160670 (banned)

Member

THX .... RANDY, & "Apple and Google prepare patches for FREAK SSL flaw" time is running
[ »www.zdnet.com/article/ap ··· sl-flaw/ ]

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to 85160670

Premium Member

to 85160670
Stop the presses: HTTPS-crippling “FREAK” bug affects Windows after all
quote:
Computers running all supported versions of Microsoft Windows are vulnerable to "FREAK," a bug disclosed Monday that for more than a decade has made it possible for attackers to decrypt HTTPS-protected traffic passing between vulnerable end-users and millions of websites. [...]
»arstechnica.com/security ··· ter-all/

Tweets -
»twitter.com/dangoodin001 ··· 86453504
siljaline

siljaline to 85160670

Premium Member

to 85160670
MS KB Issued -
quote:
Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows. Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system. The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems. When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers. [...]
»technet.microsoft.com/en ··· 015.aspx
19579823 (banned)
An Awesome Dude
join:2003-08-04

19579823 (banned) to 85160670

Member

to 85160670

Re: 

The GOVT has always had this ability!!
85160670 (banned)
"If U know neither the enemy nor yoursel
join:2013-09-17
Edmonton, AB

85160670 (banned) to siljaline

Member

to siljaline

Re: What the FREAK? Huge SSL security flaw stems from US government backdoor ¿

THX & ACK ..... Randy {{{ SMILE }}} we will see critical KB Tuesday patch *_*
Indeed, Dude111 ...... they use the POWER of Love, NOT for us {{{ GRIN }}}
19579823 (banned)
An Awesome Dude
join:2003-08-04

19579823 (banned)

Member

YA .. Ya got that right buddy!!

 
DonLibes

join:2003-01-19

DonLibes to nwrickert

to nwrickert

Re: What the FREAK? Huge SSL security flaw stems from US government backdoor ¿

said by nwrickert:

It seems to be fact, according to a blog post by Matthew Green who is usually reliable on such issues.

Attack of the week: FREAK (or 'factoring the NSA for fun and profit').

In the Matthew Green post you cite, what is the meaning of his statement:

The client bugs will soon be patched (update your devices! unless you have Android in which case you're screwed).


nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

If you are asking about the "Android" comment, I had trouble with understanding that. I suppose he is hinting that security update handling for Android devices is not very good. This would not surprise me.
85160670 (banned)
"If U know neither the enemy nor yoursel
join:2013-09-17
Edmonton, AB

85160670 (banned)

Member

Click for full size
Check if Windows is affected by the Freak Attack vulnerability ..."Browser's are not necessarily vulnerable on all systems they support. Chrome is for instance vulnerable on Android and Mac OS X but not on Windows.

Firefox appears to be the only browser not affected by the vulnerability at all on all systems it supports.

Since Internet Explorer is affected by the vulnerability on Windows, it is important to check whether your PC is vulnerable and do something about it if that is the case.

The easiest way to do that is to use the Freak Client Test Tool which tests for the vulnerability and reports back if your browser is vulnerable or not."....[ »www.ghacks.net/2015/03/0 ··· ability/ ]
CountPsylli
join:2015-02-15
US

CountPsylli to siljaline

Member

to siljaline
Click for full size
Windows Update after SA3046015 workaround applied.
The workaround at

»technet.microsoft.com/en ··· 015.aspx

seems to leave Windows Update unable to connect.
85160670 (banned)
"If U know neither the enemy nor yoursel
join:2013-09-17
Edmonton, AB

85160670 (banned)

Member

Click for full size
THX & ACK ..... 4 sharing your finding mine is fine to check WU *_*
CountPsylli
join:2015-02-15
US

CountPsylli

Member

Click for full size
SA3046015 Page After Workaround There Applied.
Click for full size
SA3046015 Instructions To Undo Workaround.
It was early still. Microsoft apparently fixed access to Windows Update at ~6:15 PM PST. But, it is priceless that the aforementioned page, with the workaround, will not load (still?) once the workaround is applied. So you can't get back to the page with the instruction to undo the workaround unless you copied it (yuk!).

After workaround, as of this post:

Chase Bank's and Google's logon pages loaded.

BofA, Wells Fargo, MyAt&T webmail, NOT.

Hope they fix those soon.

GuruGuy
Premium Member
join:2002-12-16
Atlanta, GA

GuruGuy to siljaline

Premium Member

to siljaline
said by siljaline:

Everyone is waiting for Apple to rollout the much awaited fix.

ios 8.2 is out but not sure if it contained a fix for freak

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline

Premium Member

IOS 8.2 was rolled out -
(what's inside)
»support.apple.com/en-us/HT204423

This addresses a security issue -
»support.apple.com/en-us/HT204413

ARS has a ramble some may be able to get something from -
»arstechnica.com/apple/20 ··· g-fixes/