It seems like only yesterday we were all being told about the Heartbleed vulnerability in OpenSSL, and how to avoid affected sites until they had been fixed, then there was the Shellshock or Bashdoor vulnerability that meant the servers running your favourite websites were being broken into, you may even have heard of the Poodle attack that could allow an attacker to break into your SSL 3 connection, and now Freak, exploring another SSL vulnerability, albeit one that this time was practically imposed on you.
SSL is Secure Sockets Layer, it was invented way back in the early days of the internet as a way of securing communication between your computer and the computer you were ‘talking’ to, such as your bank. It encrypted the data between your computer and the banks computer so it could be sent over the public internet and not be intercepted. Due to flaws in the first two versions of SSL (SSL 1 and SSL 2) SSL 3 was redesigned and used as the de-facto security system on the internet from about 1996 until 1999 when it’s successor TLS was released.
TLS is Transport Layer Security was released in 1999 as is constantly being updated and in use today. The ‘S’ at the end of the HTTP in an internet address declares that the website is using one of these encryption systems to secure your communication.
So essentially, they are what keep the secure bits of the internet secure.
Back in the 90’s, the highest level of encryption allowed outside the USA was 512 bits. America considered the use of high-level encryption to be a weapon of war and banned it’s export (so just to clarify that, they wanted you to use encryption you thought was safe, but that they could break)
Anyway, as a result, servers hosted in America had to be able to identify the strength of your browsers security and offer a similar level. So if a user from Europe connected to an american server, such as Amazon.com or hotmail.com, the servers in America had to reduce the level of security to 512bits or lower depending on the users choice of browser/security
Now, since the ludicrous block on export of high-level security from America was lifted, and the internet embraced 1024, 2048 and higher security levels, the need for downgrading to the export-level security went away, but the servers that were configured to supply it stayed.
So, If you use one of the affected browsers and visit one of the affected websites, there’s a chance that your ‘Secure’ connection might not be a secure as you would hope.
There’s a website been setup that lists the affected browsers and websites, but typically if you use Apple (iOS or Mac) or Android default browser, you could be at risk. The list of ‘at risk’ sites is bog, and hopefully getting smaller! – it’s estimated that around 34% of web servers are at risk.
On Android devices with affected browsers, switch to a non-affected browser such as Firefox, and Apple users will need to sit tight until Apple release an fix.
If you run a website, you’ll need to disable support for insecure ciphers, and enable forward security, you’ll need to know your way around your website configuration to sort that.
Visit the Freak Attack website for more information and to test if your browser is secure or not: https://freakattack.com/
Check out this blog for more techinical understanding of the vulnerability : http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html
tinsleyNET can help you secure your business and home computes against viruses and vulnerabilities, contact us for help making your internet experience safer.
tinsleyNET LTD | IT Services Consultants
Offering IT Services to businesses and home users across the UK
#WeCanHelp
Leave a Comment