Don't Get FREAK'ed Out by Export Grade SSL/TLS Security
Page 1 of 1
The FREAK vulnerability, also identified as CVE-2015-0204, is a cryptographic weakness that is triggered by use of what is known as export-grade cryptography. It was reported by the miTLS research effort, which is a joint project of INRIA and Microsoft Research.
"This attack targets a class of deliberately weak export cipher suites," the miTLS researchers stated. "As the name implies, this class of algorithms were introduced under the pressure of US governments agencies to ensure that they would be able to decrypt all foreign encrypted communication, while stronger algorithms were be banned from export (as they were classified as weapons of war). "
The flaw is actually inside the open-source OpenSSL cryptographic library for versions prior to 1.0.1k, and it has already been patched in the upstream open-source project. According to the CVE advisory, the FREAK attack "allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role."