FREAK
CVE-2015-0204 (OpenSSL),
CVE-2015-1637 (Schannel), CVE-2015-1067 (Secure Transport) | |
---|---|
Date discovered | March 3, 2015 |
Discoverer | Schannel and Secure Transport) |
FREAK ("Factoring RSA Export Keys") is a
Vulnerability
The flaw was found by researchers from
Vulnerable software and devices included
Sites affected by the vulnerability included the US federal government websites fbi.gov, whitehouse.gov and nsa.gov,[10] with around 36% of HTTPS-using websites tested by one security group shown as being vulnerable to the exploit.[11] Based on geolocation analysis using IP2Location LITE, 35% of vulnerable servers are located in the US.[12]
Press reports of the exploit have described its effects as "potentially catastrophic"
As of March 2015[update], vendors were in the process of releasing new software that would fix the flaw.
The research paper explaining this flaw has been published at the 36th IEEE Symposium on Security and Privacy and has been awarded the Distinguished Paper award.[18]
See also
- BEAST (computer security)
- BREACH (security exploit)
- CRIME (security exploit)
- Logjam (computer security)
- POODLE
- Server-Gated Cryptography
References
- ^ "The Dark Side of Microsoft Windows – Administrative..." BeyondTrust. Retrieved 2023-09-05.
- ^ B. Beurdouche & al (2015-05-18). "A Messy State of the Union: Taming the Composite State Machines of TLS" (PDF). IEEE Security and Privacy 2015.
- ^ a b "State Machine AttACKs against TLS (SMACK TLS)". smacktls.com.
- ^ "Vulnerability Summary for CVE-2015-0204". NIST. 20 February 2015.
- ^ Thomas Fox-Brewster (2015-03-03). "What The FREAK? Why Android And iPhone Users Need To Pay Attention To The Latest Hot Vulnerability". Forbes.
- ^ Steven J. Vaughan-Nichols (2015-03-03). "FREAK: Another day, another serious SSL security hole". ZDNet.
- ^ Darren Pauli (6 March 2015). "All Microsoft Windows versions are vulnerable to FREAK". The Register.
- ^ "Microsoft Security Advisory 3046015: Vulnerability in Schannel Could Allow Security Feature Bypass". Microsoft. March 5, 2015.
- ^ "About the security content of iOS 8.2". apple.com. 23 January 2017.
- ^ a b c Craig Timberg (2015-03-03). "'FREAK' flaw undermines security for Apple and Google users, researchers discover". Washington Post.
- ^ a b Dennis Fisher (2015-03-03). "New FREAK Attack Threatens Many SSL Clients". Threatpost.
- ^ "FREAK Servers By Country". 2015-03-03.
- ^ Dan Goodin (3 March 2015). ""FREAK" flaw in Android and Apple devices cripples HTTPS crypto protection". Ars Technica.
- ^ "About Security Update 2015-002". Apple. March 9, 2015.
- ^ "About the security content of iOS 8.2". Apple. March 9, 2015.
- ^ "Microsoft Security Bulletin MS15-031 - Important". Microsoft. March 10, 2015.
- ^ "Microsoft Admits Windows Users Are Vulnerable to FREAK Attacks". eweek.com.[permanent dead link]
- ^ "IEEE Distinguished Paper award for A Messy State of the Union: Taming the Composite State Machines of TLS". 2015-05-18.