SSL/TLS MiTM hijacking vulnerability warning-vulnerability warning-the black bar safety net

2015-03-04T00:00:00
ID MYHACK58:62201559588
Type myhack58
Reporter 佚名
Modified 2015-03-04T00:00:00

Description

Dear users:

Security researchers discover new SSL/TLS on a serious vulnerability. Find the vulnerability the researchers noted that the use of this encryption technology vulnerabilities, hackers can steal Apple Safari and Google Android browsers of the user communication.

Vulnerability description:

Security experts found that a called FREAK(Factoring RSA-Export Keys, the decomposition of the RSA export key the attack. The attacks use of N. S. A. in the 2 0 century 9 0 age of early encryption during the war authorization supported but has been deprecated for a long time“export-grade”encryption support. Although the N. S. A. in 2 0 0 0 years has been to abandon this strategy, but many of the SSL/TLS client and server still support this type of connection. When the vulnerable client tries to connect to still allow the export level password of the host, it will cause problems. The attacker can be obtained from the server and pre-crack the weaker export passwords, then masquerade as a legitimate host to launch middle attack.

Vulnerability to harm:

Using this vulnerability the attacker can hijack the presence of vulnerability of the client and the gaps in service between the end of the session, thereby performing middle man attack.

Affected website:

About 3 to 6% on the openssl website is affected.

https://freakattack.com 该 网站 列出 了 存在 漏洞 的 网站 the.

Affected client:

Currently the Apple Safari and Google Android browsers are affected.

Authentication method:

You can use openssl to verify, the command is as follows

root@kali:~# openssl s_client-connect www.baidu.com:443 -cipher EXPORT

If the server is not affected by this vulnerability, it returns

!

Affected by this vulnerability, then return

!

Repair method:

Service end please update latest version of openssl

For the client of the repair, there is no manufacturer to provide patches, please pay close attention to