FREAKing hell: ALL Windows versions vulnerable to SSL snoop Microsoft has confirmed that its implementation of SSL/TLS in all versions of Windows is vulnerable to the FREAK encryption-downgrade attack. This means if you're using the company's Windows operating system, an attacker on your network can potentially force Internet Explorer and other software using the Windows Secure Channel …
Current list of browsers affected, for those who don't like to read sources :)
Internet Explorer Security advisory
Chrome on Mac OS Patch available now
Chrome on Android
Safari on Mac OS Patch expected next week
Safari on iOS Patch expected next week
Stock Android Browser
Blackberry Browser
Opera on Mac OS
Opera on Linux
up to date as per 2015-03-05
What exactly is the degridation of security here? I skimmed the articles, but didn't find anything definitive.
My IE is set to only use TLS 1.1 and TLS 1.2, TLS 1,0 and SSL 2.0 are disabled. It also forces a check of the certificates.
The Freakattack site says that it is still vulnerable, is that because it just checks for IE 11, or because even with these settings (AFAIK TLS 1.1 is still secure) IE 11 is vulnerable and can be forced to use a weaker protocol?
Aha, seems if they can force RSA mode, they can bypass the generating of new session keys and some messages are skipped, even though they theoretically can't be skipped (www,smacktls.com).
The good news is, I generally use Firefox for anything secure.
The Freakattack site says that it is still vulnerable, is that because it just checks for IE 11, or because even with these settings (AFAIK TLS 1.1 is still secure) IE 11 is vulnerable and can be forced to use a weaker protocol?
Yes, unfortunately TLS 1.x doesn't mean that EXPORT ciphers are disabled at all. I've tested a couple of sites, and TLS still can negotiate EXP-RC4-MD5, which makes cryptographers' eyes bleed. The problem is that EXPORT should have been removed from the default set of ciphers at least a decade ago.
Since "version 33", Firefox has had no support for 512bit keys. This makes FF unsuitable for a small number of specialised web sites, particularly from embedded devices, but also (and this is the reason it was done) makes it impossible to connect to anything using a 512 bit key.
This makes FF unsuitable for a small number of specialised web sites
There's no *reasonably* modern crypto stack (written within like the last 15 years) that requires that these cipher suites are used. Servers don't need to support them, the end. No ifs, no buts as DC would say.
Absolutely - it's high time they cleaned out all the legacy code they licensed from UNIX that keeps having these holes in...
So you'll be doing away with the convenience of directories ("folders" for you post-Win95 folk)?
You'll be doing away with the BSD-inspired TCP/IP stack?
In fact, bring it on. Getting rid of TCP/IP in Windows will mean no more Windows on the Internet and probably a vast reduction in the amount of crap we non-Windows have had to endure ever since you folk got here!
And don't get me started on supposed rewrites, if I had a dollar for every time ${WINDOWS_RELEASE} was a ground-up rewrite I'd be able to buy Microsoft several times over by now.
Opera 27.0.1689.76 is NOT vulnerable under Windows 8.1 64-bit Pro.
IE11 IS vulnerable under Windows 8.1 64-bit Pro.
** WARNING **, it is still not safe to do your banking using IE, unless you are banking with one of the very few banks that have enforced the more modern ciphers on their servers.
Internet Explorer in the Windows 10 Preview and Windows 8.1 was/is flagged up as vulnerable on freakattack.com. It is the same problem. Microsoft warns:
"Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system. The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems."
C.
Thanks for that. The website freakattack.com now says "(An earlier version of our test gave incorrect results for IE; IE is indeed vulnerable.)" Which goes to explain why I thought IE was not vulnerable earlier in the week.
On a different note it seems that with the updated website Windows Phone is now being marked as vulnerable.
I just went to the web site and it aid "Whoops, your browser might be incompatible with our test..."
Which is weird because IE 11 ought to be testable really.
So I went to the link which said "If this page loads successfully, you are vulnerable" (cve).
It didn't, I presume that I am not then.
Also, my (Denim) Windows Phone did the same thing exactly.
Have they patched it already? magically? or is the cve test site less than useful?
Medically I would equate the Windows Operating system to patient suffering the symptoms of advanced syphilis such as severe neurological damage, dementia and running sores. Should we just make out living wills and expect that the wealth of developed nations will suddenly enrich a new criminal class?
Howard you are obviously a being with mighty knowledge. You have convinced me that I need to move off Windows. Oh great one, can you recommend an OS that has no security vulnerabilities? I guess that will be the one you use. So please speaketh its name so that we can all come into the light and hail this mighty OS ;-)
This article is about a security issue affecting web browsers. The linked article contains the text "When it comes to applications, it is little wonder that web browsers topped the list, with Microsoft's Internet Explorer up at the top with a total of 242 reported vulnerabilities".
I would therefore not recommend it for the purpose advocated.
"Microsoft's Internet Explorer up at the top with a total of 242 reported vulnerabilities"."
They are multi counting the same vulnerabilities across different IE versions, but not doing so with Chrome. In terms of unique vulnerabilities, Chrome has had ~ twice as many as IE in the last year.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
