Reefa Posted March 6, 2015 Share Posted March 6, 2015 Microsoft says its implementation of SSL/TLS in all versions of Windows is vulnerable to the FREAK encryption-downgrade attack.This means if you're using Windows, an attacker on your network can potentially force Internet Explorer and other software using the Windows Secure Channel component to use weak encryption over the web.Intercepted HTTPS connections can be easily cracked, revealing sensitive information such as login cookies, but only if the website or service at the other end is still supporting 1990s-era cryptography (and millions of sites still are)."Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows," Redmond says in an advisory."Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system."When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers."The bug (CVE-2015-1637) in Windows' Secure Channel component is not thought to be under active attack by eavesdroppers at the time of writing.The FREAK (Factoring attack on RSA-EXPORT Keys) mess revealed this week allows bad guys to decrypt login cookies and other sensitive information from HTTPS connections to vulnerable browsers.Redmond is pushing out details of defensive mechanisms through its Microsoft Active Protections Program. It offers imperfect workarounds including changing of the registry in Server 2003 to disable vulnerable key exchange ciphers which it warns could cause "serious problems".So far Google Chrome for OS X prior to version 41.0.2272.76 and BlackBerry OS 10.3 are known to be vulnerable. Users can visit freakattack.com to determine their browser exposure.Hundreds of cloud providers still have not moved against the vulnerability. Skyhigh Networks reports 766 cloud services were still at risk a day after FREAK was made public, based on an analysis of more than 10,000 different services.Most companies used 122 potentially vulnerable services which pointed that popular cloud services are disproportionately affected by slow patching against FREAK.http://www.theregister.co.uk/2015/03/06/all_microsoft_windows_versions_vulnerable_to_freak/ Link to comment Share on other sites More sharing options...
Cerberus Posted March 6, 2015 Share Posted March 6, 2015 Security = Offline Only! lol It's true. :( Link to comment Share on other sites More sharing options...
GRiM Posted March 6, 2015 Share Posted March 6, 2015 Firefox is not vunverable to teh attack. At least not in latest version anyway. Link to comment Share on other sites More sharing options...
steven36 Posted March 6, 2015 Share Posted March 6, 2015 https://freakattack.com/#alexa Link to comment Share on other sites More sharing options...
banned Posted March 6, 2015 Share Posted March 6, 2015 Firefox is not vunverable to teh attack. At least not in latest version anyway.That makes sense, since Firefox bundles its own security suite and does not rely on Microsoft's SChannel.And as far as I remember, Firefox wasn't vulnerable to the critical "WinShock" vulnerability either, for the same reason. Link to comment Share on other sites More sharing options...
CODYQX4 Posted March 7, 2015 Share Posted March 7, 2015 https://freakattack.com/#alexaI wonder why Chrome on OS X is vulnerable, it was secure against all of the OS flaws last year by not using OS X security functions. Link to comment Share on other sites More sharing options...
steven36 Posted March 7, 2015 Share Posted March 7, 2015 https://freakattack.com/#alexaI wonder why Chrome on OS X is vulnerable, it was secure against all of the OS flaws last year by not using OS X security functions.Its already been patched Google has already patched the version of Chrome for Mac to disable the problem, and Firefox is supposedly safe on all platforms. The formal iOS and OS X patches are still in the pipeline; Apple hasn’t provided an updated timeline for their release beyond “next week.” As for how dangerous FREAK actually is, the practical risk appears to be relatively low. The greater problem is what FREAK represents. It’s a flaw that only exists because governments attempted to mandate weak cryptography in the mistaken belief that it could retain control of security standards for the “good” guys without handing bad guys additional flaws or attack vectors. The fact that the problem has existed, undetected, for over a decade suggests that groups like the NSA and other security agencies could well have exploited it in targeted attacks –and these are precisely the kinds of threats that the NSA is supposed to be capable of guarding against.http://www.extremetech.com/computing/200555-microsoft-internet-explorer-windows-vulnerable-to-freak-attackApple announced on Tuesday 3 March that patches for OS X and iOS will be released next week. As for Google, its developers have yet to announce when a patch will be available for Chrome for Android, although Google did release an updated version of Chrome for Mac on Thursday 5 March.Security researchers have scanned over 14 million HTTPS-protected websites in recent weeks and found that 36% of these websites support the weaker 512-bit cypher, including many popular websites like Bloomberg.com, AmericanExpress.com and Groupon.com.However, many other large sites like Google and Facebook are not vulnerable, which could lure people into a false sense of security, when the real issue is: if this vulnerability has been around for over 10 years, then some hackers in the world might have already exploited it multiple times in the past.http://www.ibtimes.co.uk/freak-security-bug-does-affects-windows-users-spells-trouble-unpatched-cloud-services-1490788 Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted March 7, 2015 Share Posted March 7, 2015 o thats not good newsbut good new for firefox Link to comment Share on other sites More sharing options...
oliverjia Posted March 7, 2015 Share Posted March 7, 2015 LOL, luckily I have been using Chrome on Ubuntu x64 in the past few weeks. Link to comment Share on other sites More sharing options...
Reefa Posted March 7, 2015 Author Share Posted March 7, 2015 knowledge Me understanding you more now..Maybe.?? :P Link to comment Share on other sites More sharing options...
steven36 Posted March 7, 2015 Share Posted March 7, 2015 You can check SSL yourself with this add onCalomel SSL Validationhttps://addons.mozilla.org/en-US/firefox/addon/calomel-ssl-validation/?src=searchI knew for along time most sites only used the weaker cypher 512-bit with testing with that add-on I use a vpn though my connection is all ready encrypted AES 256-BIT EncryptionAES is a variant of Rijndael which has a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits.Its been known cypher 512-bit could be cracked since 2002 Here and article from 2002 talking about it :lol:http://www.geek.com/news/512-bit-keys-cracked-in-6-weeks-549618/ Link to comment Share on other sites More sharing options...
Reefa Posted March 7, 2015 Author Share Posted March 7, 2015 You can check SSL yourself with this add onCalomel SSL Validationhttps://addons.mozilla.org/en-US/firefox/addon/calomel-ssl-validation/?src=searchI knew for along time most sites only used the weaker cypher 512-bit with testing with that add-on I use a vpn though my contention is all ready encrypted AES 256-BIT EncryptionAES is a variant of Rijndael which has a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits.Its been known cypher 512-bit could be cracked since 2002 Here and article from 2002 talking about it :lol:http://www.geek.com/news/512-bit-keys-cracked-in-6-weeks-549618/@steven36 and @dcs18 taught me a lot..And i hope to continue to Learn from them. :showoff: Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.