For those that do not know, the FREAK acronym stands for “Factoring Attack on RSA-EXPORT Keys CVE-2015-0204.” There has been a clamor about what caused this vulnerability and what can be done about it. The cause is from a set of decisions made years ago by the US Government to ban the export of high level cryptography keys outside of the USA. That meant that many servers and clients had to be able to negotiate to high and low levels of encryption. Those low levels of encryption were based on approved “export grade” ciphers. Many servers and clients still run these old low level ciphers. They are the vulnerability that allows a Man in the Middle (MITM) attack to be successful. Without going into all of the technical details, suffice it to say, you can check your own Online Banking Website and any other website for an indication of this weakness. Those banks that transfer files to and from a vendor such as a correspondent bank could also use this tool to attempt to verify the security of the web server at their vendor. We use the word “attempt” with intent in that the industry is not consistent in what a fix may entail. There are work arounds that disable a short list of protocols and other work arounds that specify a longer list. The website for testing your server is: https://www.ssllabs.com. Be sure to use the “Test your server” option and verify the exact name of the https (secure) website for the test. If there is a problem identified by the Qualys SSL Labs test, you need to discuss it with that vendor. We recommend checking the option “Do not show the results on the boards”. Just as important in this situation if not more so is the browser or client test. The website for testing your browser is: https://www.ssllabs.com. Be sure to use the “Test your browser” option. It will test your browser to see if it is secure from this attack or if it needs to be reconfigured. Previous to the public awareness of FREAK we had disabled the weak as well as “export” cipher protocols in the web servers of our Online Banking banks. That said, the online test sites only check for a list of weak ciphers. We are not aware of any that check for a downgrade negotiation which is the heart of the FREAK attack. As always, if you have questions, give us a call. We cannot, however, answer for your customers' browsers. |