Continue reading " />

FREAK Vulnerability

freakA recent flaw has been discovered that affects SSL (Secure Sockets Layer) and TLS (Transport Layer Security) that is used to encrypt traffic between websites and browsers. This new vulnerability (named “FREAK” for “Factoring RSA-Export Attack on Keys”) uses a Man-In-The-Middle (MITM) attack can be exploited by malware installed on your computer, or from a public or unsecured Wi-Fi hotspot to intercept supposedly secure traffic. First disclosed on March 3rd by the University of Michigan, this vulnerability is due to a 1990’s era U.S. federal enforcement of weak “export-grade” ciphers.

Scarab Media performed a vulnerability assessment and found that all of our servers are not vulnerable to this exploit due to modifications we had previously performed on our servers to mitigate the BEAST vulnerability back in 2011.  Your eCommerce websites hosted at Scarab Media are verified to already be protected against the FREAK vulnerability and nothing further needs to be done to prevent FREAK attacks on your website, or to maintain PCI-DSS Compliance.

You can verify that your eCommerce website is secure by running the utility at http://www.nagios.com/freak-vulnerability-tester.

However, this vulnerability does not affect just Servers and websites. It also affects all desktop operating systems, and web browsers, and even smartphones. Currently Windows, Mac OS, all flavors of Linux, iOS, and Android are affected. Mozilla Firefox (on all platforms) originally was the only web browser unaffected by this vulnerability, although Google Chrome has since pushed out an update to their browser to secure it on all platforms as well. Security patches are expected next week for the Internet Explorer, and Apple Safari (for Mac OS and and iOS) browsers. Security Updates for Operating Systems are anticipated shortly for Windows, Mac OS, iOS, and Linux. Google has stated they will push out updates to vendors for Android, but it will be up to individual vendors to determine whether or when to push out this security update to users.

You can test if your browser is vulnerable at https://freakattack.com/clienttest.html

You can find more information about the FREAK vulnerability at the following links:

Leave a Response

Please note: comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.