Your IT Consultant

More Problems for SSL/TLS Connections

March 4, 2015

I’m not sure what is worse…another snow day or discovering another flaw in secure encrypted connections. It looks like we have one of each yet again. The latest vulnerability in SSL/TLS in being called FREAK (Factoring RSA Export Keys). Apparently the bug is evident in some major websites such as FBI.gov, whitehouse.gov, Americanexpress.com and nordstromrack.com. The problem has existed for some time and is a result of government regulations that required the ability to export weaker encryption keys. The regulation has since expired, but apparently a lot of programmers didn’t remove the code. Security researchers have determined that for around $100 you can exploit the vulnerability using Amazon’s EC2 cloud in less than 8 hours. So how many people are going to spend the money or the time to compromise this latest discovery?

My favorite find from this story is the Qualys SSL Labs test site. Pump in your domain name and see what vulnerabilities may exist. As an example, you may see that SSL 3 is still enabled and needs to be disabled or that the site only supports older versions of TLS. These are the types of things that get propeller heads excited.

E-mail:   Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
http://www.linkedin.com/in/johnsimek
http://www.senseient.com