Summary:The FREAK security hole is more widespread than previously thought. Here’s everything users and system administrators need to know in order to stay safe now.
Great, just great. FREAK, the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) security hole, isn’t only in programs that use Apple’s SSL implementation or old OpenSSL. We now know that FREAK is present in Microsoft’s Secure Channel (SChannel) stack too.
FREAK enables SSL Man-in-the-Middle attacks because of bad security decisions made almost two decades ago. As Andrew Avanessian, Avecto‘s EVP of consultancy and technology services, told me in an e-mail, “The FREAK attack is clear evidence of how far back the long tail of security stretches. As new technologies emerge, and cryptography hardens, many simply add on new solutions without removing out-dated and vulnerable technologies. This effectively undermines the security model you are trying to build.”