A new SSL/TLS vulnerability named “FREAK” was identified by several security researchers, a decade-old encryption flaw that leaves device users vulnerable to having their electronic communications intercepted. It’s a threat because FREAK allows an attacker to get between a client and server and view what is intended to be a secure and private communication.
The vulnerability is primarily due to a bug in OpenSSL client software and Microsoft’s SChannel library, but it’s only exploitable on poorly-configured web servers. Both clients and servers are at risk. Web site owners can protect their sites by properly configuring their web servers. End users will need to wait for software vendors to release new versions that include a fix.
Note that this vulnerability is not related to SSL certificates. Your existing certificate will continue to work as intended; no certificate replacement is needed.
Organizations should evaluate their web servers to determine if they are vulnerable. Symantec offers an easy-to-use check in its SSL Toolbox to allow customers to easily verify that their web sites are safe or vulnerable. Every website administrator should evaluate their own systems.
Microsoft released a Windows update last Tuesday (3/10/2015) to address the “FREAK” security vulnerability. The update also included an updated patch for Stuxnet, a sophisticated computer virus Microsoft said it addressed five years ago. The FREAK bulletin, rated “important,” Microsoft’s second highest ranking security ranking, came less than a week after Microsoft acknowledged that the encryption protocols used in all supported version of Windows were also vulnerable to the flaw.
(Image source: iCLIPART)