s*****m
发帖数: 13092 | 1 http://www.livehacking.com/2015/03/04/freak/
FREAK (or ‘Factoring attack on RSA-EXPORT Keys’) is a newly disclosed
vulnerability that can force browsers into using weaker encryption keys.
Once the connection is using weaker keys then the traffic can be cracked
relatively quickly. This then exposes all the information that was being
sent over the secure connection.
The vulnerability stems directly from an old U.S. government policy that
made it illegal to export strong encryption and required that weaker “
export-grade” products be shipped to customers in other countries. These
export restrictions were lifted in the late 1990s, but the weaker encryption
got built-in into widely used software, some of which made its way back
into USA.
...
It also looks like Android’s web browser and Apple’s Safari browser are
vulnerable. According to Matt Green, “A group of cryptographers at INRIA,
Microsoft Research and IMDEA have discovered some serious vulnerabilities in
OpenSSL clients (e.g., Android) and Apple TLS/SSL clients (e.g., Safari)
that allow a ‘man in the middle attacker’ to downgrade connections from ‘
strong’ RSA to ‘export-grade’ RSA.” |
|
