Geekflare
[gtranslate]
Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
In Security and Test Management  |  Last updated: November 30, 2022
Share on:
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

How to test FREAK Attack (CVE-2015-0204) and Fix?

By
joomla security extension

Does your website safe from FREAK Attack?

Web Security is happening subject these days. There is always something to keep Security Expert busy and vulnerabilities name is a bit catchy like Heart Bleed, Poodle, and now Freak Attack.

In this guide, I will explain how to identify if your website is affected and the procedure to fix the vulnerabilities.

Introduction

If you are interested or don’t know about Freak Attack then here are few words. Karthikeyan Bhargavan discovered FREAK attack vulnerability at INRIA in Paris.

It was announced on 3rd March 2015 that new SSL/TLS vulnerability would allow an attacker to intercept HTTPS connection between vulnerable client and server and the ability to force them to use weak encryption. This will help an attacker to steal or manipulate sensitive data.

Check if your server is vulnerable

If your Web Server accepts RSA_EXPORT cipher suites then you are at risk. You can perform a check against your HTTPS URL at the following link.

Fix FREAK Attack Security Vulnerability

Apache HTTP Server – you can disable EXPORT cipher suites by adding below in your httpd.conf or SSL configuration file.

SSLCipherSuite !EXPORT

You may already have an SSLCipherSuite line in your configuration file. If so, you just need to add !EXPORT at end of the line.

If you are new to the configuration, you can read my Apache Web Server Security & Hardening Guide.

Nginx – add the following in your configuration file.

ssl_ciphers '!EXPORT';

Additionally, you can use the SSL Configuration Generator or Mozilla Recommended Configuration to protect with SSL/TLS vulnerabilities.

As a website owner or security engineer, you should regularly perform a security scan against your website to find out for any new vulnerabilities and get notified.

You may also be interested in fixing the Logjam attack.

  • Chandan Kumar
    Author
    As the founder of Geekflare, I’ve helped millions to excel in the digital realm. Passionate about technology, I’m on a mission to explore the world and amplify growth for professionals and businesses alike.
Thanks to our Sponsors
More great readings on Security
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti
    Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Brightdata
    Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • Monday.com
    Monday.com is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.
    Try Monday
  • Intruder
    Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder