Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

“FREAK” flaw in Android and Apple devices cripples HTTPS crypto protection


  • Please log in to reply
3 replies to this topic

#1 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 11,791 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:01:41 PM

Posted 03 March 2015 - 11:23 PM

 

Security experts have discovered a potentially catastrophic flaw that for more than a decade has made it possible for attackers to decrypt HTTPS-protected traffic passing between Android or Apple devices and hundreds of thousands or millions of websites, including AmericanExpress.com, Bloomberg.com, NSA.gov, and FBI.gov.

In recent days, a scan of more than 14 million websites that support the secure sockets layer or transport layer security protocols found that more than 36 percent of them were vulnerable to the decryption attacks. The exploit takes about seven hours to carry out and costs as little as $100 per site. The so-called FREAK attack—short for Factoring attack on RSA-EXPORT Keys—is possible when an end user with a vulnerable device—currently known to include Android smartphones, iPhones, and Macs running Apple's OS X operating system—connects to a vulnerable HTTPS-protected website. Vulnerable sites are those configured to use a weak cipher that many had presumed had been retired long ago. At the time this post was being prepared, most Windows and Linux end-user devices were not believed to be affected.

Attackers who are in a position to monitor traffic passing between vulnerable end users and servers can inject malicious packets into the flow that will cause the two parties to use a weak 512-bit encryption key while negotiating encrypted Web sessions. Attackers can then collect some of the resulting exchange and use cloud-based computing from Amazon or other services to factor the website's underlying private key. From that point on, attackers on a coffee-shop hotspot or other unsecured network can masquerade as the official website, a coup that allows them to read or even modify data as it passes between the site and the end user.

Source and Read more.

“FREAK” flaw in Android and Apple devices cripples HTTPS crypto protection



BC AdBot (Login to Remove)

 


m

#2 CyberProtectionGroup

CyberProtectionGroup

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:41 PM

Posted 05 March 2015 - 02:18 PM

Thanks for sharing.  I had read that it was initially discovered by a group at Penn State.  Not 100% sure though.  I've been following it all day.



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:41 PM

Posted 10 March 2015 - 03:11 PM

FREAK Attack: Client Check
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 NickAu

NickAu

    Bleepin' Fish Doctor

  • Topic Starter

  • Moderator
  • 11,791 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:01:41 PM

Posted 10 March 2015 - 04:01 PM

 

Apple has published its second major security roll-up package of the year, Security Update 2015-002, which contains fixes for multiple versions of OS X stretching from Mountain Lion 10.8.5 to Yosemite 10.10.2. These updates mitigate threats from several different vulnerabilities, but the most notable is a fix that will inoculate Safari users against the so-called "FREAK" SSL/TLS exploit (CVE-2015-0204, although at publication time the Apple page shows CVE-2015-0167 as the CVE ID for FREAK).

First publicized a week ago, the "FREAK" vulnerability can be used by an attacker to force someone’s SSL/TLS connection to a Web server to use a weak 512-bit key, which the attacker can then factor with a relatively trivial amount of work and thereby decrypt and/or modify the supposedly secure connection. The vulnerability affects OS X, iOS, Android, and Windows devices. The acronym "FREAK" stands for "Factoring attack on RSA-EXPORT Keys," which references the fact that the 512-bit weak keys are so-called legacy "export-grade" keys mandated for use in the 1990s with cryptographic hardware and software built in the US but intended for sale outside of the country

 

Apple patches FREAK vulnerability on Mountain Lion, Mavericks, Yosemite




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users