FREAK:TLS/SSL Browsers,Java,phone,and more, SKIP-TLS

Please reproduce your error on a second machine before posting, and check the error by running without saved changes or extra modules (See FAQ No. 13, "How to report a bug"). For unstable Porteus versions (alpha, beta, rc) please use the relevant thread in our "Development" section.
Post Reply
Posts: 116
Joined: 10 Nov 2013, 12:02
Distribution: LXDE3.5Manjaro, LXDE3.01-32bit
Location: Sweden

FREAK:TLS/SSL Browsers,Java,phone,and more, SKIP-TLS

Post#1 by ElectriQT » 07 Mar 2015, 21:21

" ... In other words, the JSSE implementation of TLS has been providing virtually no security guarantee (no authentication, no integrity, no confidentiality) for the past several years. "

FREAK: Factoring RSA Export Keys,
man-in-the-middle. ... g-nsa.html

"server impersonation exploits against several mainstream browsers (including Safari and OpenSSL-based browsers on Android)" ,

Vulnerable TLS client libraries include

OpenSSL (CVE-2015-0204): versions before 1.0.1k are vulnerable.
BoringSSL: versions before Nov 10, 2014 are vulnerable.
LibReSSL: versions before 2.1.2 are vulnerable.
SecureTransport: is vulnerable. A fix is being tested.
SChannel: is vulnerable. See the security advisory. A fix is being tested.
Mono: versions before 3.12.1 are vulnerable.
IBM JSSE: is vulnerable. A fix is being tested.
Other disclosure pending

Web browsers that use the above TLS libraries are vulnerable, including:

Chrome: versions before 41 on various platforms are vulnerable. Update to Chrome 41
Internet Explorer: is vulnerable. Wait for a patch and see the security advisory.
Safari: is vulnerable. Wait for a patch.
Android Browser: is vulnerable. Switch to Chrome 41.
Blackberry Browser: is vulnerable. Wait for a patch.
Opera: on Mac and Android is vulnerable. Update to Opera 28 (when stable).

Other client applications (such as email) that use vulnerable TLS libraries may also be vulnerable.


Post Reply