FREAK - a high impact vulnerability in TLS/SSL

FREAK - významná slabina TLS/SSL

An international research team has devised attack called FREAK (Factoring attack on RSA Export Keys) with which it is possible to lower the level of encryption used in SSL connections. Attack is based on forcing server and client to use legacy (the vulnerability has been present for a long time) weak cryptographic suites which are still supported by some of the mainstream browsers (Safari and OpenSSL-based Android browser among others) and servers. After a key has been factored a man-in-the-middle attack may be launched by attacker against encrypted connection between a server and a browser. The aformentioned legacy cryptographic suites have been added to SSL implementations at a time when export regulations for cryptographic material were in effect in USA and only specific (weak) cryptographic suites were legally allowed to be exported. A link to a page containing further information about potentially vulnerable sites and a test for vulnerability on the client side may be found here.