The FREAK Vulnerability.

The FREAK Vulnerability, What is happening?

A new SSL/TLS vulnerability named “FREAK” was identified by several security researchers. This threat allows an attacker to get between a client and server and view what is intended to be a secure and private communication. The vulnerability is primarily due to a bug in OpenSSL client software, but only exploitable on poorly-configured web servers. Both clients and servers are at risk. Website owners can protect their sites by properly configuring their web servers by removing affected ciphers and restarting their servers. Note that this vulnerability is not related to SSL certificates. Your existing certificate will continue to work as intended. No certificate replacement is needed.

Why should a Acmetek Customer or Partner care?

Customer webservers may be vulnerable to this issue. Organizations should evaluate their web servers to determine if they are vulnerable. Symantec offers an easy-to-use check in its SSL Toolbox to allow customers to easily verify that their web sites are safe or vulnerable.

What Acmetek Customers Must Do?

It’s relatively easy to determine if a website is vulnerable, and if so, it’s relatively easy to change the configuration to block any possible attacks. Any type of web server (Apache, IIS, nginx, etc.) may be vulnerable if its configuration allows the use of so-called Export Ciphers. In Apache/OpenSSLdocumentation, for example, the names of these ciphers all begin with EXP (from

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html):

EXP-DES-CBC-SHA

EXP-RC2-CBC-MD5

EXP-RC4-MD5

EXP-EDH-RSA-DES-CBC-SHA

EXP-EDH-DSS-DES-CBC-SHA

EXP-ADH-DES-CBC-SHA

EXP-ADH-RC4-MD5

If a customer’s web server supports these ciphers, the customer must reconfigure the web server by removing these ciphers from the list of supported ciphers, and restart the web server. Although not related to this vulnerability, customers should also disable null ciphers if they are supported, since such ciphers do not provide any encryption of the SSL stream:

NULL-SHA

NULL-MD5

In Windows, the names of export ciphers contain the string “EXPORT”. Here is a list taken from

http://support.microsoft.com/kb/245030:

SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA

SSL_RSA_EXPORT1024_WITH_RC4_56_SHA

SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

SSL_RSA_EXPORT_WITH_RC4_40_MD5

TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

TLS_RSA_EXPORT_WITH_RC4_40_MD5

NULL

We advise customers to consult their web server documentation to determine how to view the list of supported ciphers, and how to disable certain ciphers.

 

Frequently Asked Questions:

Q: How critical is this vulnerability?

A: This vulnerability appears to be as slightly less critical than POODLE. Although an attack is difficult to carry out it is important for people prioritize this patch.

Q: What should customers do?

A: Customers should remove the above listed affected ciphers (if they are supported by their web server) and restart their web server.

Q: Do SSL certificates have to be replaced?

A: No, this is not required.

 

Recent Posts

S/MIME for Outlook O365 Windows

Add to Favorites S/MIME Advantages of S/MIME Certificates S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates offer several advantages when it comes to securing email communications. Here

Read More »

Abbreviations

Add to Favorites There are literally thousands of IT abbreviations out there. Many are concerned with the technical aspects of the computer, while others deal

Read More »

SSL Installation on Qmail

Add to Favorites SSL Installation on Qmail Qmail is a secure, reliable, efficient, simple message transfer agent. It is designed for typical Internet-connected UNIX hosts.

Read More »