Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tracking the FREAK Attack


  • Please log in to reply
4 replies to this topic

#1 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,265 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:11:14 AM

Posted 11 March 2015 - 11:39 PM

 

On Tuesday, March 3, 2015, researchers announced a new SSL/TLS vulnerability called the FREAK attack. It allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data. This site is dedicated to tracking the impact of the attack and helping users test whether they’re vulnerable.

The FREAK attack was discovered by Karthikeyan Bhargavan at INRIA in Paris and the miTLS team. Further disclosure was coordinated by Matthew Green. This report is maintained by computer scientists at the University of Michigan, including Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J. Alex Halderman. The team can be contacted at freakattack@umich.edu.

For additional details about the attack and its implications, see this post by Matt Green, this site by the discoverers, this Washington Post article, and this post by Ed Felten.

https://freakattack.com/

 

You can check whether your browser is vulnerable using the FREAK Client Test Tool.


Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:14 AM

Posted 12 March 2015 - 01:54 AM

However, even if your browser is safe, certain third-party software, including some anti-virus products and adware programs, can expose you to the attack by intercepting TLS connections from the browser.

:blink:

#3 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:14 AM

Posted 12 March 2015 - 02:16 AM

The end of FREAK: Massive SSL vulnerability finally patched - Emsisoft Blogs

#4 rp88

rp88

  • Members
  • 3,022 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:14 AM

Posted 12 March 2015 - 03:08 PM

Microsoft has pacthed this now, and firefox and chrome both have it patched. Does any one know which antiviruses don't have it patched yet?
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:14 AM

Posted 12 March 2015 - 03:14 PM

Does any one know which antiviruses don't have it patched yet?

 

They have nothing to patch, except if they have their own SSL/TLS library, and don't use Microsoft's API.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users