Last updated: April 13, 2016
What is the FREAK vulnerability?
The FREAK (which stands for Factoring attack on RSA-EXPORT Keys) vulnerability is an encryption bug in some TLS/SSL servers and clients that has existed for more than a decade. It allows a “man in the middle attacker” to decrease the encryption level of secure connections from “strong RSA” to a lesser “export-grade RSA”. Once the encryption level is decreased by the attacker, the attacker is able to more easily crack the weakened encryption to steal passwords, other private data, and launch attacks on web sites. The flaw unsuspectingly exposes users to hacking their private information when they visit what are supposedly secure web sites.
The security flaw is the result of a previous U.S. government policy that disallowed strong encryption levels in products that were exported. Although the restriction of this “export-grade” encryption stopped in the 1990’s, the lesser grade of encryption has evidently recirculated in products that have been shipped back to the United States. Researches made the discovery in recent weeks, and announced it on March 3, 2015.
How to detect if you are vulnerable
Several resources have been created to allow you to easily detect if your web browser is vulnerable to the FREAK bug. One popular resource is https://freakattack.com. When you visit the site, a vulnerability notification will display in your web browser automatically. If your web browser is safe from the vulnerability, you will see Good News! Your browser appears to be safe from the FREAK attack:
If your web browser is vulnerable, the following notification will display instead:
The web site also offers a separate FREAK Client Test Tool.
What you should do if you use a web browser
Test your web browser’s exposure to the FREAK vulnerability using the tools described above. If your web browser is susceptible to the bug, you may wish to discontinue using it for now. Please note that all major web browser developers are aware of this issue, and are in the process of patching the flaw (if it hasn’t been patched already). As such, check frequently to be certain that you are using the very latest version of your web browser, and install web browser updates as soon as they become available.
If this article helped you, please consider leaving us a Bitcoin tip: