Vulnerability to OpenSSL FREAK attack

Rule from ssl under security category

What is a trooper!

we have submitted your edit to the community for review! We'll review and make it live on the site in the next few hours, the internet thanks you :).

Browse another section of the knowledge base



Suggest an edit

Cancel

This rule has no content... yet.

Add content to this rule

Or just browse to view rules that have content



 

FREAK (Factoring RSA-EXPORT Keys) is a Man-in-the-middle vulnerability discovered by a group of cryptographers at INRIA, Microsoft Research and IMDEA.

The vulnerability dates back to the 1990s, when the US government banned selling crypto software overseas, unless it used export cipher suites which involved encryption keys no longer than 512-bits.

The attack usses the fact that some modern browser clients had (and have on older version) a bug in them, where the bug caused the browser to accept export-grade RSA even if they did not request or broadcasted support. Allowing attackers to downgrade the level of security on a connection provided that the client is vulnerable and the server supports export RSA.

How do I fix this ?

Upgrade OPENSSL on the server along with negating the EXPORT cipher suite, a starting point for a list of safe ciphers would be:

Take note of the !EXPORT keyword, disabling export-grade RSA.

Resources

Browse another section of the knowledge base



Signup icon
Ready to see how well your site scores?

Passmarked works best when you have an account. It allows you to keep a dashboard with saved data of the sites you have run through the system, we’ll alert you about important updates and you get access to the Passmarked Slack forum.

Sign up to get started