{"id":10760,"date":"2015-03-10T19:21:44","date_gmt":"2015-03-10T23:21:44","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=10760"},"modified":"2016-02-12T14:18:36","modified_gmt":"2016-02-12T19:18:36","slug":"freak","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2015\/03\/10\/freak\/","title":{"rendered":"FREAK"},"content":{"rendered":"<p><a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms15-031.aspx?f=255&amp;MSPPError=-2147217396\">Microsoft Security Bulletin MS15-031<\/a>:<\/p>\r\n<blockquote cite=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms15-031.aspx?f=255&amp;MSPPError=-2147217396\"><p>This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed FREAK technique, an industry-wide issue that is not specific to Windows operating systems. The vulnerability could allow a man-in-the-middle (MiTM) attacker to force the downgrading of the key length of an RSA key to EXPORT-grade length in a TLS connection. Any Windows system using Schannel to connect to a remote TLS server with an insecure cipher suite is affected.<\/p><\/blockquote>\r\n<p><a href=\"https:\/\/support.apple.com\/en-us\/HT204413\">Apple Security Update 2015-002<\/a>:<\/p>\r\n<blockquote cite=\"https:\/\/support.apple.com\/en-us\/HT204413\">\r\n<p>Secure Transport accepted short ephemeral RSA keys, usually used only in export-strength RSA cipher suites, on connections using full-strength RSA cipher suites. This issue, also known as FREAK, only affected connections to servers which support export-strength RSA cipher suites, and was addressed by removing support for ephemeral RSA keys.<\/p>\r\n<\/blockquote>\r\n<p>Reader Fran&ccedil;ois Joseph notes that Apple has not made this fix available to users of the pre-release Mac OS X 10.10.3. However, he successfully applied the <a href=\"https:\/\/support.apple.com\/kb\/DL1796\">10.10.2 package<\/a> using <a href=\"https:\/\/www.charlessoft.com\">Pacifist<\/a> with seemingly no ill effects.<\/p>\r\n<p>Update (2015-03-10): <a href=\"http:\/\/arstechnica.com\/apple\/2015\/03\/apple-patches-freak-vulnerability-on-mountain-lion-mavericks-yosemite\/\">Lee Hutchinson<\/a>:<\/p>\r\n<blockquote cite=\"http:\/\/arstechnica.com\/apple\/2015\/03\/apple-patches-freak-vulnerability-on-mountain-lion-mavericks-yosemite\/\"><p>First publicized a week ago, the <a href=\"http:\/\/arstechnica.com\/security\/2015\/03\/freak-flaw-in-android-and-apple-devices-cripples-https-crypto-protection\/\">&ldquo;FREAK&rdquo; vulnerability<\/a> can be used by an attacker to force someone&rsquo;s SSL\/TLS connection to a Web server to use a weak 512-bit key, which the attacker can then factor with a relatively trivial amount of work and thereby decrypt and\/or modify the supposedly secure connection. The vulnerability affects OS X, iOS, Android, and <a href=\"http:\/\/arstechnica.com\/security\/2015\/03\/stop-the-presses-https-crippling-freak-bug-affects-windows-after-all\/\">Windows<\/a> devices. The acronym &ldquo;FREAK&rdquo; stands for &ldquo;Factoring attack on RSA-EXPORT Keys,&rdquo; which references the fact that the 512-bit weak keys are so-called legacy &ldquo;export-grade&rdquo; keys mandated for use in the 1990s with cryptographic hardware and software built in the US but intended for sale outside of the country.<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Microsoft Security Bulletin MS15-031: This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed FREAK technique, an industry-wide issue that is not specific to Windows operating systems. The vulnerability could allow a man-in-the-middle (MiTM) attacker to force the downgrading of the key length of an RSA key to EXPORT-grade [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[131,30,903,476,1145,776,48,581],"class_list":["post-10760","post","type-post","status-publish","format-standard","hentry","category-technology","tag-bug","tag-mac","tag-mac-os-x-10-10-yosemite","tag-networking","tag-pacifist","tag-secure-transport","tag-security","tag-ssltls"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/10760","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=10760"}],"version-history":[{"count":3,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/10760\/revisions"}],"predecessor-version":[{"id":13532,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/10760\/revisions\/13532"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=10760"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=10760"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=10760"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}