cancel
Showing results for 
Search instead for 
Did you mean: 

FREAK attack on website security

Anonymous
Not applicable

Yet another large scale scare story for the man in the street to worry about.

 

In case anybody's interested in a simple explaination:

 

* Yes, it is fairly easy for those with bad intent to use this to steal your information as it flows over the internet

 

* Yes, it is remarkably easy for website owners to fix.  Any that haven't in 48 hours or so are being lazy

 

* It requires both the user to use an affected browser, AND the website to run affected SSL code, so if you fix your end, you won't be affected whichever sites you visit, (UNLESS the server has been compromised in another way too, but that is out of your control - ask the company running it.  If they don't know, or don't care to tell you, draw your own conclusions)

 

* The affected browsers are basically the one built in to Android phones, and Safari

 

* Companies smart enough to run their servers on the latest OpenBSD would not be affected - well done those who choose this path wink

Message 1 of 29
2,002 Views
28 REPLIES 28

viridis
Level 56: Guvnor
  • 13530 Posts
  • 106 Topics
  • 308 Solutions
Registered:
Link?
Message 2 of 29
1,440 Views

Anonymous
Not applicable

Cleoriff
  • 122362 Posts
  • 824 Topics
  • 7457 Solutions
Registered:

Any clear explanation about this link please? To the 'man on the street' ....ie me...it makes no sense...Smiley Frustrated

Veritas Numquam Perit

Girl in a jacket
Message 4 of 29
1,410 Views

Anonymous
Not applicable
Well, that's what I tried to explain in my first post 🙂
Message 5 of 29
1,391 Views

viridis
  • 13530 Posts
  • 106 Topics
  • 308 Solutions
Registered:

Message 6 of 29
1,379 Views

Cleoriff
Level 94: Supreme
  • 122362 Posts
  • 824 Topics
  • 7457 Solutions
Registered:

Yoda he says......Yes I know I suffer with technophobia...but even reading the opening post and then the link...I still didn't 'get it'.....Ah well....

 

Veritas Numquam Perit

Girl in a jacket
Message 7 of 29
1,372 Views

viridis
Level 56: Guvnor
  • 13530 Posts
  • 106 Topics
  • 308 Solutions
Registered:
@Cleoriff
Some websites vulnerable to get attacked when using old dodgy openssl and then can further attack your smartphone or other affected system using vulnerable browser by using brute force can get your info.
Easily avoidable by site owners updating or using the latest openbsd which no longer uses openssl in favour of the more secure libressl
Message 8 of 29
1,362 Views

MI5
Level 94: Supreme
  • 143434 Posts
  • 632 Topics
  • 27490 Solutions
Registered:

@viridis wrote:
@Cleoriff
Some websites vulnerable to get attacked when using old dodgy openssl and then can further attack your smartphone or other affected system using vulnerable browser by using brute force can get your info.
Easily avoidable by site owners updating or using the latest openbsd which no longer uses openssl in favour of the more secure libressl

That should clear it up nicely then LOL

I have no affiliation whatsoever with O2 or any subsidiary companies. Comments posted are entirely of my own opinion. This is not Customer Service so we are unable to help with account specific issues.

Currently using:
Pixel 7a (O2 & Lyca), One Plus 6 (Sfr), iPhone 12 Pro Max (Vodafone)
Message 9 of 29
1,361 Views

Anonymous
Not applicable

I assumed that news and rumours would have already hit the mainstream press by the time anyone read my post Smiley Very Happy.

 

In a nut shell, it's yet another one of those widespread, affects loads of websites, should have been noticed and fixed years ago bugs that's just surfaced to the wider IT industry earlier today.

 

It's been given a catchy name, (FREAK), and as such will probably be picked up by the media in the coming days.  General fear and uncertainty will gradually spread across the country, and it will be blamed for everything bad that happens in the next week or so.  If your private information is exposed, companies will justify their helplessness by pointing out that millions of sites were affected and so they were not careless.

 

So, lets look at the facts before getting carried away.

 

It's an old bug in security software used in some web browsers and some web servers.

 

If you use a vulnerable browser to connect to an affected website your "secure" communications COULD be observed, (passwords and activity monitored), even though you believe that they are sufficiently encrypted.  In reality, whilst it's not particularly difficult, it is a little beyond the average teenage kid in his bedroom type hacker

 

The correct.way to fix it is for both sides, you with your browser, and the website administrator with the server to upgrade to new versions which fix the bug.

 

In reality, as long as ONE side is not vulnerable, the "hack" won't work, so your info cannot be intercepted.

 

If, however, somebody uses this "hack" to gain further entry to a particular website, (fairly difficult, but certainly possible), then they can obviously do much more, potentially accessing all sorts of private info stored there.

 

Web browsers affected include the Android phone browser, and Safari.  For all you geeks out there, I suspect that Lynx is vulnerable too.  Other browsers generally are not.

 

You should all contact every organisation who holds your information on-line and tell them to patch their servers against this vulnerability.  It's trivial for any competent IT worker to do.  No excuses.  Left unpatched, eventually somebody somewhere will be defrauded.  So insist that it's done.

 

Once a website has been upgraded to more recent software which is not vulnerable, you can connect to it using a vulnerable browser and you will not be at risk.

 

And as I said, any company that has the sense to run their system on the latest OpenBSD can sit back and smugly say that their website is not vulnerable.

 

So:

 

1. Don't use the Android browser or Safari to connect to secure sites, unless you know that the site is not vulnerable, or until a patch is released.

 

2. Tell companies who hold your data to patch their systems and don't let them be lazy about it

 

Does that explain it at better?

 

By the way, various other things like encrypted email and apps that use encrypted communications will be affected too.  Depends on how they were written.  Again, upgrade to the latest versions and follow advice '2' above.

Message 10 of 29
1,360 Views