A new SSL/TLS vulnerability – dubbed ‘FREAK’ – enables attackers to intercept HTTPS connections between vulnerable clients and servers and forces the use of “export-grade” cryptography that can more easily be decrypted, according to a Tuesday post.
“A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204,” according to the post.
“Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.”
Researchers – who provided a list of top vulnerable websites – encourage web server operators to disable support for export suites, including all known insecure ciphers, and to enable forward secrecy.
Stay tuned to SCMagazine.com for continued coverage of this vulnerability.