IMPORTANT - Additional notes (March 16th, 2015):
- For more details about older announcements and new ones, please visit the official openssl project website: https://www.openssl.org/news/
- Forthcoming OpenSSL releases: https://mta.openssl.org/pipermail/openssl-announce/2015-March/000020.html
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf. These releases will be made available on 19th March. They will fix a number of security defects. The highest severity defect fixed by these releases is classified as "high" severity.
All the information below is related specifically to FREAK (CVE-2015-0204):
On Tuesday, March 3, 2015, a new SSL/TLS vulnerability called the FREAK attack was announced. This vulnerability allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption. The malicious user could cause a TLS/SSL client using OpenSSL use a weaker key exchange method and then crack the key that is in use. Using this cracked key the attacker could then decrypt data during or after communications or manipulate sensitive data and replay it to the server or client.
Common Vulnerabilities and Exposures (CVE):
- CVE-2015-0204: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
Who is Vulnerable?
All server daemons/services that accepts 'export-grade' encryption. This includes any daemon/service that uses a vulnerable TLS library such as:
- OpenSSL versions before 1.0.1k are vulnerable.
- BoringSSL versions before Nov 10, 2014 are vulnerable.
- LibReSSL versions before 2.1.2 are vulnerable.
- SecureTransport is vulnerable. *
- SChannel is vulnerable. *
- Mono versions before 3.12.1 are vulnerable.
- IBM JSSE is vulnerable. *
Browsers that are vulnerable to this vulnerability include the following:
- Chrome versions before 41
- Internet Explorer is vulnerable *
- Safari is vulnerable. *
- Android Browser is vulnerable. Switch to Chrome 41.
- Blackberry Browser is vulnerable. *
- Opera on Mac and Android is vulnerable. *
* A fix has yet to be released at the time this article was written.
To Test Your Webserver:
- Use the FREAK Client Test Tool.
If you run a server …
Immediately disable support for TLS export cipher suites as well as other cipher suites that are known to be insecure and enable forward secrecy. The people at freakattack.com recommend using Mozilla’s security configuration guide and their SSL configuration generator to secure popular HTTPS server software.
If you use a browser …
Update your browser using it's own updating system or reinstall it should the update system not be working correctly. For some browsers you may have to use your operating systems updating system (ie. Internet Explorer is updated using Windows Update and Safari is updated using the App Store under "Updates").