|
|
|
|
|
|
by Kronopath
4127 days ago
|
|
|
This news story is way too light on details for this audience. A better description of the vulnerability is here: https://www.freakattack.com/ A summary: The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptogrpahy, which can then be decrypted. A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204. Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites. It also includes a list of vulnerable websites, including sites like mit.edu, groupon.com, marriott.com, and americanexpress.com (!). |
|
|