Who it affects, how hackers could use it, and what you should do about it.

On March 3, 2015, a new exploit related to an old SSL/TLS vulnerability was discovered and dubbed FREAK (CVE-2015-0204). It’s name stands for Factoring Attack on RSA-EXPORT Keys and is estimated to affect 33% of HTTPS encrypted websites.

FREAK SSL TLS exploitFREAK makes it easier for hackers to decode HTTPS connections, but only if a vulnerable browser connects to a web server that supports export-grade cryptography.

The problem originated in 1990 when the government required manufacturers to develop weak keys for any software/hardware exported out of the U.S. To satisfy the mandate, manufacturers designed products that offered both commercial-grade and export-grade key options. Governmental export restrictions have since been dropped, but many hardware/software versions still have export-grade cryptography.

Affected browsers

  • Internet Explorer
  • Chrome on Android
  • Android browser
  • Safari on Mac OS and iOS
  • BlackBerry browser
  • Opera on Mac OS X
  • Opera on Linux

Affected systems

  • All supported releases of Microsoft Windows

How does the FREAK exploit work?

The exploit is a man-in-the-middle attack which allows attackers to tamper with the unencrypted handshake protocol and force a downgrade to export-grade encryption, allowing the attacker to eventually see all website or system traffic.

Our recommendations

  • Check if your browser is safe from the FREAK attack
  • Make sure your browser is up to date, and apply patches on your systems, if needed
  • Keep your vulnerability scans up to date (SecurityMetrics vulnerability scans will flag servers that allow weak SSL ciphers, including the export level ciphers upon which this attack is based.)
SecurityMetrics vulnerability scan customers can check if their systems are vulnerable to FREAK by simply logging in and running a vulnerability scan. The scan detects weak SSL encryption, and alerts customers of any critical vulnerabilities.

If you have any questions, please contact SecurityMetrics support, 801.705.5700.