Does your website safe from FREAK Attack?

Web Security is happening subject these days. There is always something to keep Security Expert busy and vulnerabilities name is a bit catchy like Heart Bleed, Poodle and now Freak Attack.

In this guide, I will explain how to identify if your website is affected and procedure to fix the vulnerabilities.

Introduction

If you are interested or don’t know about Freak Attack then here are few words. Karthikeyan Bhargavan discovered FREAK attack vulnerability at INRIA in Paris.

It was announced on 3rd March 2015 that new SSL/TLS vulnerability would allow an attacker to intercept HTTPS connection between vulnerable client and server and ability to force them to use weak encryption. This will help an attacker to steal or manipulate sensitive data.

Check if your Client or Web (HTTPS) server is vulnerable

Client – the quickest way to find if your browser client is vulnerable is to hit the following URL in your browser and you will get the results.

https://freakattack.com/clienttest.html

If your browser client is vulnerable then you will get a warning message as below.

freak-attack-vulnerable-results

If your browser client is not vulnerable then you will get Good news message as below.

freak-attack-test

Server – If your Web Server accepts RSA_EXPORT cipher suites then you are at risk. You can perform check against your HTTPS URL at the following link.

Fix FREAK Attack Security Vulnerability

Apache HTTP Server – you can disable EXPORT cipher suites by adding below in your httpd.conf or SSL configuration file.

SSLCipherSuite !EXPORT

If you are new to the configuration, you can read my Apache Web Server Security & Hardening Guide.

Nginx – add following in your configuration file.

ssl_ciphers '!EXPORT';

Additionally, you can use SSL Configuration Generator or Mozilla Recommended Configuration to protect with SSL/TLS vulnerabilities.

As a website owner or security engineer, you should regularly perform security scan against your website to find out for any new vulnerabilities and get notified.

You may also be interested in fixing Logjam attack.

Reader Interactions

Comments

  1. hi
    First of all thanks to share this great things with us.
    I want to know that If i have configured “SSLCipherSuite HIGH:MEDIUM” then i need to disable EXPORT cipher?.
    I mean i have to configure my server’s SSL setting like “SSLCipherSuite HIGH:MEDIUM:!EXPORT”.

    Thanks,
    Vilash Jagani

  2. I only use jdk1.6 and Tomcat 7.
    Want to change the server.xml as Apache HTTP Server
    except apr way, and I need your help please

  3. Hi
    What if IBM Tivoli Directory Server (TDS) , IBM Tivoli Access Manager (TAM), IBM WebSphere Application Server and IBM Http Server (IHS) are showing same Vulnerability (CVE-2015-0204) asking to disable RSA _EXPORT cipher suites
    Thanks in advance for your help

  4. Hi,

    We are using solaris 10 and Linux servers in our environment. will this vulnerability applies to unix platform..? If yes can you please suggest the steps to fix this vulnerability.

    Thank in advance.

Comments

Your email address will not be published. Required fields are marked *