Welcome to the O2 Community

Has your question already been answered? See the community FAQ's

Off-Topic

Reply
Highlighted
Anonymous
Posts: 0

FREAK attack on website security

Yet another large scale scare story for the man in the street to worry about.

 

In case anybody's interested in a simple explaination:

 

* Yes, it is fairly easy for those with bad intent to use this to steal your information as it flows over the internet

 

* Yes, it is remarkably easy for website owners to fix.  Any that haven't in 48 hours or so are being lazy

 

* It requires both the user to use an affected browser, AND the website to run affected SSL code, so if you fix your end, you won't be affected whichever sites you visit, (UNLESS the server has been compromised in another way too, but that is out of your control - ask the company running it.  If they don't know, or don't care to tell you, draw your own conclusions)

 

* The affected browsers are basically the one built in to Android phones, and Safari

 

* Companies smart enough to run their servers on the latest OpenBSD would not be affected - well done those who choose this path Smiley Wink

Highlighted
Posts: 13,247
Topics: 80
Registered: ‎14-01-2014

Re: FREAK attack on website security

Link?



Highlighted
Anonymous
Posts: 0

Re: FREAK attack on website security

Highlighted
Posts: 84,292
Topics: 714
Registered: ‎14-01-2013

Re: FREAK attack on website security

Any clear explanation about this link please? To the 'man on the street' ....ie me...it makes no sense...Smiley Frustrated

*The Game Is On*

Most-Helpful-MemberFriendliest-MemberMost-Useful-GuideBest-Feedbacker
Highlighted
Anonymous
Posts: 0

Re: FREAK attack on website security

Well, that's what I tried to explain in my first post :-)
Highlighted
Posts: 13,247
Topics: 80
Registered: ‎14-01-2014

Re: FREAK attack on website security




Highlighted
Posts: 84,292
Topics: 714
Registered: ‎14-01-2013

Re: FREAK attack on website security

Yoda he says......Yes I know I suffer with technophobia...but even reading the opening post and then the link...I still didn't 'get it'.....Ah well....

 

*The Game Is On*

Most-Helpful-MemberFriendliest-MemberMost-Useful-GuideBest-Feedbacker
Highlighted
Posts: 13,247
Topics: 80
Registered: ‎14-01-2014

Re: FREAK attack on website security

@Cleoriff
Some websites vulnerable to get attacked when using old dodgy openssl and then can further attack your smartphone or other affected system using vulnerable browser by using brute force can get your info.
Easily avoidable by site owners updating or using the latest openbsd which no longer uses openssl in favour of the more secure libressl



Highlighted
Posts: 98,370
Topics: 545
Registered: ‎04-04-2012

Re: FREAK attack on website security


@viridis wrote:
@Cleoriff
Some websites vulnerable to get attacked when using old dodgy openssl and then can further attack your smartphone or other affected system using vulnerable browser by using brute force can get your info.
Easily avoidable by site owners updating or using the latest openbsd which no longer uses openssl in favour of the more secure libressl

That should clear it up nicely then LOL

I have no affiliation whatsoever with O2 or any subsidiary companies. Comments posted are entirely of my own opinion. This is not Customer Service so we are unable to help with account specific issues.

Currently using:
OnePlus 6 (O2 & Sfr), Z3 Tablet (Three UK), iPhone 8+ (EE)
Highlighted
Anonymous
Posts: 0

Re: FREAK attack on website security

I assumed that news and rumours would have already hit the mainstream press by the time anyone read my post Smiley Very Happy.

 

In a nut shell, it's yet another one of those widespread, affects loads of websites, should have been noticed and fixed years ago bugs that's just surfaced to the wider IT industry earlier today.

 

It's been given a catchy name, (FREAK), and as such will probably be picked up by the media in the coming days.  General fear and uncertainty will gradually spread across the country, and it will be blamed for everything bad that happens in the next week or so.  If your private information is exposed, companies will justify their helplessness by pointing out that millions of sites were affected and so they were not careless.

 

So, lets look at the facts before getting carried away.

 

It's an old bug in security software used in some web browsers and some web servers.

 

If you use a vulnerable browser to connect to an affected website your "secure" communications COULD be observed, (passwords and activity monitored), even though you believe that they are sufficiently encrypted.  In reality, whilst it's not particularly difficult, it is a little beyond the average teenage kid in his bedroom type hacker

 

The correct.way to fix it is for both sides, you with your browser, and the website administrator with the server to upgrade to new versions which fix the bug.

 

In reality, as long as ONE side is not vulnerable, the "hack" won't work, so your info cannot be intercepted.

 

If, however, somebody uses this "hack" to gain further entry to a particular website, (fairly difficult, but certainly possible), then they can obviously do much more, potentially accessing all sorts of private info stored there.

 

Web browsers affected include the Android phone browser, and Safari.  For all you geeks out there, I suspect that Lynx is vulnerable too.  Other browsers generally are not.

 

You should all contact every organisation who holds your information on-line and tell them to patch their servers against this vulnerability.  It's trivial for any competent IT worker to do.  No excuses.  Left unpatched, eventually somebody somewhere will be defrauded.  So insist that it's done.

 

Once a website has been upgraded to more recent software which is not vulnerable, you can connect to it using a vulnerable browser and you will not be at risk.

 

And as I said, any company that has the sense to run their system on the latest OpenBSD can sit back and smugly say that their website is not vulnerable.

 

So:

 

1. Don't use the Android browser or Safari to connect to secure sites, unless you know that the site is not vulnerable, or until a patch is released.

 

2. Tell companies who hold your data to patch their systems and don't let them be lazy about it

 

Does that explain it at better?

 

By the way, various other things like encrypted email and apps that use encrypted communications will be affected too.  Depends on how they were written.  Again, upgrade to the latest versions and follow advice '2' above.