FREAK Attack Vulnerability
Researchers announced a new SSL/TLS vulnerability called the FREAK attack March 3, 2015. It allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.

VULNERABILITY: The FREAK attack is possible when a vulnerable browser connects to a susceptible web server that accepts “export-grade” encryption.

Servers that accept RSA_EXPORT cipher suites put their users at risk from the FREAK attack. After Internet-wide scanning, it has been found that more than a third of all HTTPS servers browser-trusted at risk.

You can check to see if a server is vulnerable to such attacks from below links;

Chrome for Windows and all modern versions of Firefox are known to be safe. However, even if your browser is safe, certain third-party software, including some anti-virus products and adware programs, can expose you to the attack by intercepting TLS connections from the browser. If you are using a safe browser but client test says you’re vulnerable, this is a likely cause

In addition to browsers, many mobile apps, embedded systems, and other software products also use TLS. These are also potentially vulnerable if they rely on unpatched libraries or offer RSA_EXPORT cipher suites.

SOLUTION: You should immediately disable support for TLS export cipher suites. While you’re at it, you should also disable other cipher suites that are known to be insecure and enable forward secrecy. ALSO, Upgrade the OpenSSL version to at least 1.02.

If you use a browser: Make sure you have the most recent version of your browser installed, and check for updates frequently. Updates that fix the FREAK attack should be available for all major browsers soon.

If you are a system admin: Make sure any TLS libraries you use are up to date. Unpatched OpenSSL, Microsoft Schannel and Apple SecureTransport all suffer from the vulnerability. Note that these libraries are used internally by many other programs, such as wget and curl. You also need to ensure that your software does not offer export cipher suites, even as a last resort, since they can be exploited even if the TLS library is patched.

Customer Services 0850 222 444 6