2

Is there a reason it only affects browsers on Windows machines and not Mac's or UNIX/LINUX environments? A lot of the wording on this site is particularly complicated and I don't understand fully what the FREAK attack entails.

I have Chrome, and apparently that wasn't affected by the FREAK attack. But it says it's on Windows machines only.

yuritsuki
  • 528
  • 1
  • 5
  • 10

1 Answers1

6

In simple terms:

  1. Your browser starts to connect to an HTTPS website, asking to use a strong cipher.
  2. The attacker intercepts this request and replaces it with one asking to use weak "export-grade" encryption.
  3. The server gets this modified request and responds to your browser with an export-grade encryption key.
  4. Your browser doesn't notice the key it got is weaker than the one it asked for, and finishes setting up the SSL session using this weak key.
  5. The attacker can now record your session and break the encryption on it in a matter of minutes to hours, or if the server re-uses keys (most of them do), use a previous break to read (and potentially modify) your traffic as it goes by.

Note that the "FREAK" attack requires three things in order to work:

  1. A server that still supports export-grade encryption. Less than a quarter of them do.
  2. A browser with a buggy SSL library that doesn't notice that what it asks for isn't what it got.
  3. An attacker sitting between a vulnerable browser and a server with an out-of-date configuration.

As far as I can tell, the "FREAK" vulnerability affects the SChannel library (Internet Explorer and related Windows browsers), Apple's SSL library (Safari and other MacOSX/IOS browsers), and OpenSSL (most Android browsers and a scattering of Linux browsers). The NSS library (Firefox and Chrome) does not appear to be affected.

Mark
  • 34,390
  • 9
  • 85
  • 134