85160670 (banned)"If U know neither the enemy nor yoursel join:2013-09-17 Edmonton, AB
1 recommendation |
85160670 (banned)
Member
2015-Mar-3 5:36 pm
What the FREAK? Huge SSL security flaw stems from US government backdoor ¿Fact or Fiction ¿ ¿ .....'Seven hours is all it takes to crack the encryption that is in place on some supposedly secure websites. Security experts blame the US government's ban on the use of strong encryption back in the 1990s for a vulnerability that has just come to light. Named FREAK (Factoring attack on RSA-EXPORT Keys), the flaw exists on high-profile websites including, ironically, NSA.gov. Restrictions that limited security to just 512-bit encryptions were lifted in the late 90s, but not before it was baked into software that is still in use today. The ban on the shipping of software with stronger encryption apparently backfired as it found its way back into the States. Security experts say the problem is serious, and the vulnerability is relatively easy to exploit."...[ » betanews.com/2015/03/03/ ··· ackdoor/ ] |
|
1 recommendation |
It seems to be fact, according to a blog post by Matthew Green who is usually reliable on such issues. Attack of the week: FREAK (or 'factoring the NSA for fun and profit'). |
|
1 recommendation |
That article has a pretty good description.
This is around breaking weak encryption SSL. The article referenced above has a good summary of why this shouldn't be a concern along with why in reality it appears to be.
Sites in the US (at least) should be using strong keys (only), but the exploit demonstrates the ability to force the use of weak keys. There are a combination of factors that make this possible, largely based on (a) client-side bugs and (b) poor configuration of web servers that still have weak keys available. |
|
1 recommendation |
to 85160670
From - » www.smacktls.com/• FREAKAttack.com has statistics about potentially vulnerable websites. • Washington Post story on FREAK. • Forbes story on FREAK. • Rich Salz's blog post on export RSA on Akamai |
|
1 edit
1 recommendation |
to 85160670
Another vulnerability checker: SSL FREAK Check CVE-2015-0204 |
|
1 recommendation |
to 85160670
OpenSSL takes another smack.
Blake |
|
Ian1 Premium Member join:2002-06-18 ON |
to 85160670
Near as I can tell, it's already been fixed in Ubuntu 14.04 LTS, but can't tell for sure. |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
to 85160670
|
|
Anonymous_Anonymous Premium Member join:2004-06-21 127.0.0.1 |
to 85160670
is that why my old opera browser is not working? |
|
|
to Ian1
said by Ian1:Near as I can tell, it's already been fixed in Ubuntu 14.04 LTS, but can't tell for sure. Probably. I just checked, and it is already fixed in opensuse 13.2 (and probably 13.1). The chances are that the fix is in most linux distros that do regular updates. The big risk is that people who run servers often fail to keep their software up to date. |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
to 85160670
No changes as of this morning. |
|
|
planet
Member
2015-Mar-4 9:49 am
Until patched, be sure to use your own wifi network when accessing sensitive data. No public wifi and cell networks could be vulnerable as well. MITM attack on the same network. |
|
|
85160670 (banned)"If U know neither the enemy nor yoursel join:2013-09-17 Edmonton, AB
2 recommendations |
to siljaline
Apple plans fix next week for newly uncovered Freak security bug affecting Safari...[ » www.straitstimes.com/dig ··· -securit ] ! THX ..... Randy |
|
kevinds Premium Member join:2003-05-01 Calgary, AB |
to planet
said by planet:MITM attack on the same network. MITM attacks I find are semi-common on cellular networks, my phone lacks the carrier's CA, so often all websites fail to connect HTTPS, because I haven't accepted *insert carrier's CA* on my device |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC
1 recommendation |
to 85160670
Everyone is waiting for Apple to rollout the much awaited fix.
|
|
siljaline |
to 85160670
|
|
85160670 (banned)"If U know neither the enemy nor yoursel join:2013-09-17 Edmonton, AB |
85160670 (banned)
Member
2015-Mar-5 9:21 am
THX .... RANDY, & "Apple and Google prepare patches for FREAK SSL flaw" time is running [ » www.zdnet.com/article/ap ··· sl-flaw/ ] |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
to 85160670
Stop the presses: HTTPS-crippling FREAK bug affects Windows after all quote: Computers running all supported versions of Microsoft Windows are vulnerable to "FREAK," a bug disclosed Monday that for more than a decade has made it possible for attackers to decrypt HTTPS-protected traffic passing between vulnerable end-users and millions of websites. [...]
» arstechnica.com/security ··· ter-all/Tweets - » twitter.com/dangoodin001 ··· 86453504 |
|
siljaline |
to 85160670
MS KB Issued - quote: Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows. Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system. The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems. When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers. [...]
» technet.microsoft.com/en ··· 015.aspx |
|
19579823 (banned)An Awesome Dude join:2003-08-04 |
to 85160670
Re: The GOVT has always had this ability!! |
|
85160670 (banned)"If U know neither the enemy nor yoursel join:2013-09-17 Edmonton, AB |
to siljaline
Re: What the FREAK? Huge SSL security flaw stems from US government backdoor ¿THX & ACK ..... Randy {{{ SMILE }}} we will see critical KB Tuesday patch *_* Indeed, Dude111 ...... they use the POWER of Love, NOT for us {{{ GRIN }}} |
|
19579823 (banned)An Awesome Dude join:2003-08-04 |
19579823 (banned)
Member
2015-Mar-6 5:17 am
YA .. Ya got that right buddy!! |
|
|
to nwrickert
Re: What the FREAK? Huge SSL security flaw stems from US government backdoor ¿In the Matthew Green post you cite, what is the meaning of his statement: The client bugs will soon be patched (update your devices! unless you have Android in which case you're screwed). |
|
|
If you are asking about the "Android" comment, I had trouble with understanding that. I suppose he is hinting that security update handling for Android devices is not very good. This would not surprise me. |
|
85160670 (banned)"If U know neither the enemy nor yoursel join:2013-09-17 Edmonton, AB |
85160670 (banned)
Member
2015-Mar-7 9:54 am
Check if Windows is affected by the Freak Attack vulnerability ..."Browser's are not necessarily vulnerable on all systems they support. Chrome is for instance vulnerable on Android and Mac OS X but not on Windows. Firefox appears to be the only browser not affected by the vulnerability at all on all systems it supports. Since Internet Explorer is affected by the vulnerability on Windows, it is important to check whether your PC is vulnerable and do something about it if that is the case. The easiest way to do that is to use the Freak Client Test Tool which tests for the vulnerability and reports back if your browser is vulnerable or not."....[ » www.ghacks.net/2015/03/0 ··· ability/ ] |
|
|
to siljaline
|
|
85160670 (banned)"If U know neither the enemy nor yoursel join:2013-09-17 Edmonton, AB |
85160670 (banned)
Member
2015-Mar-7 9:08 pm
THX & ACK ..... 4 sharing your finding mine is fine to check WU *_* |
|
|
SA3046015 Page After Workaround There Applied. | SA3046015 Instructions To Undo Workaround. |
It was early still. Microsoft apparently fixed access to Windows Update at ~6:15 PM PST. But, it is priceless that the aforementioned page, with the workaround, will not load (still?) once the workaround is applied. So you can't get back to the page with the instruction to undo the workaround unless you copied it (yuk!). After workaround, as of this post: Chase Bank's and Google's logon pages loaded. BofA, Wells Fargo, MyAt&T webmail, NOT. Hope they fix those soon. |
|
GuruGuy Premium Member join:2002-12-16 Atlanta, GA |
to siljaline
said by siljaline:Everyone is waiting for Apple to rollout the much awaited fix. ios 8.2 is out but not sure if it contained a fix for freak |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
IOS 8.2 was rolled out - (what's inside) » support.apple.com/en-us/HT204423This addresses a security issue - » support.apple.com/en-us/HT204413ARS has a ramble some may be able to get something from - » arstechnica.com/apple/20 ··· g-fixes/ |
|