Computer Security Alert: FREAK ("Factoring RSA Export Keys") | Homestead Security | Forums

FREAK ("Factoring RSA Export Keys") is a security exploit of a cryptographic weakness in the SSL/TLS protocols introduced decades earlier for compliance with U.S. cryptography export regulations. These involved limiting exportable software to use only public key pairs with RSA moduli of 512 bits or less (so-called RSA_EXPORT keys), with the intention of allowing them to be broken easily by the NSA, but not by other organizations with lesser computing resources. However, by the early 2010s, increases in computing power meant that they could be broken by anyone with access to relatively modest computing resources using the well-known Number Field Sieve algorithm, using as little as $100 of cloud computing services. Combined with the ability of a man-in-the-middle to manipulate the initial cipher suite negotiation between the endpoints in the connection and the fact that the Finished hash only depended on the master secret, this meant that a man-in-the-middle, with only a modest amount of computation could break the security of any website that allowed the use of 512-bit export-grade keys. While the exploit was only discovered in 2015, its underlying vulnerabilities had been present for many years, dating back to the 1990s.

Complete Article: https://en.wikipedia.org/wiki/FREAK

Take this one seriously. It has been around a long time, but is a very recent discovery. Make sure your web browser version has fixed this, especially your mobile web browser(s). If you use Windows and are avoiding automated Windows upgrades (on principal, to avoid Windows 10, or both) you can do manual Windows upgrades and select only the specific fixes you want to allow. Find the fixes that apply to "FREAK", "SSL", "TLS", "SChannel", "Security Support Provider Interface" and "CVE-2015-1637".

LEARN, RESEARCH, & READ FOR YOURSELF: https://www.google.com/?gws_rd=ssl#q=freak+ssl

This also impacts websites. Visiting and using vulnerable websites can potentially put you at risk even if you have taken steps to secure your operating system and web browser. If you use a browser that supports add-ons/extensions like Firefox or Google Chrome, look into extensions that monitor and rate SSL/TLS connections such as SSleuth for Firefox.

If you run/administer a website (@KVR), you will want to make sure that your site is secure.

If you run a server …

You should immediately disable support for TLS export cipher suites. While you’re at it, you should also disable other cipher suites that are known to be insecure and enable forward secrecy. For instructions on how to secure popular HTTPS server software, we recommend Mozilla’s security configuration guide and their SSL configuration generator. We also recommend testing your configuration with the Qualys SSL Labs SSL Server Test tool.

From: https://freakattack.com/

This is a broad vulnerability. It applies to all network based communication. That means it's bigger than just securing the World Wide Web, bigger than securing all methods of Internet access (so if you play World of Warcraft for example, that is one of countless ways you may connect to the Internet beyond the WWW and a browser), it is bigger than your device (everything is a computer now, it's not just your desktop or laptop computer, it's your phone, your television, your home security system, your car, etc, etc, etc), and it's more than just the Internet, it's ALL your network communication (think public and private WiFi, think hardwired Ethernet switch, router, modem... think ANY NETWORK METHOD of ANY NETWORK CAPABLE DEVICE).

Now go change your underwear.