FREAK Vulnerability Appears In CERT Advisory
The Factoring Attack on RSA-EXPORT Keys (FREAK) vulnerability of some SSL/TLS implementations has made headlines lately and has been listed in an official vulnerability note by CERT. Some implementations of SSL/TLS accept export-grade (512-bit or smaller) RSA keys even when not specifically requesting export grade ciphers. An attacker able to act as a Man-in-The-Middle (MiTM) could factor weak temporary RSA keys, obtain session keys, and decrypt SSL/TLS traffic. This issue has been dubbed the FREAK attack.
Products released by Apple, Google, Microsoft, OpenSSL, Opera and Blackberry are vulnerable, according to CERT.
Apple and Microsoft have confirmed the issue and are currently working on patches to address this issue.
In its advisory, CERT advises affected users to check with the software vendor and update as soon as possible. Users should also configure their server and client applications not to use export grade ciphers (EC).