[Ach] FREAK Attack
Alan Orth
alan.orth at gmail.com
Wed Mar 4 17:05:24 CET 2015
In other words, this is a downgrade attack. If your server supports these
ciphers then a client can use them. If you're using the cipher suites from
Better Crypto in your application then you're fine. But yes, update
OpenSSL. :)
Alan
On Wed, Mar 4, 2015 at 6:10 PM L. Aaron Kaplan <aaron at lo-res.org> wrote:
>
> On Mar 4, 2015, at 3:18 PM, Raoul Bhatia <raoul at bhatia.at> wrote:
>
> > On 2015-03-03 23:53, Aaron Zauner wrote:
> >> Hi,
> >> It seems one of the OpenSSL CVEs from the 8th of jan. got a nice
> >> catchy name for itself now as well: https://freakattack.com/
> >> For people that do not follow OpenSSL advisorys closely, TL;DR:
> >> If you're using an unpatched OpenSSL version or have a cipherstring
> >> that allows for RSA_EXPORT you really should be updating by now.
> >
> > Do I correctly conclude that
> > I am safe if I have followed the ACH guide?
> Yes
>
> Export ciphers were avoided.
>
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20150304/3d071a2b/attachment.html>
More information about the Ach
mailing list