SSL Freak Flaw – CVE 2015-0204

Mar - 04 2015 | By

On Tuesday March 3, 2015 it was announced that a flaw in SSL Security that is based on a old 512 bit exportable encryption type had been found.

This flaw affects web servers and some web browsers.

You can test your browser at ​https://freakattack.com/
IE 11 is not affected, IE10 partially affected see Microsoft response below. (Fixed in March updates March 10, 2015)
Firefox 36 and 36.0.1 are not affected.
Chrome 41 is not affected.
Safari 8.0.3 and 7.1.3 are affected (Fixed March 10, 2015)
Safari on iOS 8 devices are affected (Fixed iOS 8.2 March 9, 2015)
Default browser and Chrome on Android are affected
Opera on Mac and Linux are affected (Fixed Opera 28, March 11, 2015)

You can test your SSL enabled services at
https://tools.keycdn.com/freak

To secure Apache, NGINX and HAProxy follow the Mozilla Configuration Generator at
https://mozilla.github.io/server-side-tls/ssl-config-generator/
and Security Server Side TLS at Mozilla Wiki
https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

For IIS 6 (Windows Server 2003, 2003 R2)
To make sure you have only the most secure forms of SSL and TLS enabled on your server.  By default all are enabled.
http://www.criticalwatch.com/faqs/ssl-tls-weak-anonymous-iis/
Microsoft’s response on 3/5/2015
https://technet.microsoft.com/en-us/library/security/3046015

I have not found IIS on Windows Server 2008, 2008 R2, 2012, 2012 R2 to be affected by this issue in most cases.

If you need help or assistance Michael Spice can help with testing and securing your SSL enabled services.