We wrote about the new SSL vulnerability called FREAK – Factoring RSA Export Keys – affects around 36% of all sites trusted by browsers and around 10% of the Alexa top one million domains, according to computer scientists at the University of Michigan.
Android, iOS and a lot of embedded devices that make use of the affected SSL clients (including Open) are in danger of having their connections to vulnerable websites intercepted.
The two most used operating systems for smartphones, tablets, laptops and embedded devices are in good company. Yesterday, Microsoft made known that all its supported Windows versions are also affected due to the presence of the vulnerability in the Windows Secure Channel (SChannel) – the Microsoft own implementation of SSL/TLS:
- Windows Server 2003
- Windows Vista
- Windows Server 2008
- Windows 7
- Windows 8 and 8.1
- Windows Server 2012
- Windows RT
Microsoft published an TechCenter an advisory where the problem is analyzed and solutions are offered. Also a patch is promised to fix all supported operating systems.
What does it mean for the user?
It means that if you are in Windows and make use of the vulnerable SSL libraries delivered by default, your connection to the affected servers can be intercepted. If you use Internet Explorer to visit www.freakattack.com you will be surprised to see this:
We do not recommend messing up with the standard cryptography settings of Windows (or any operating systems) unless you know what you are doing (and there is a just hand full of people that actually do). You should try a browser that is not affected (like Chrome, which was updated in the meanwhile) and apply the patches for operating system and browsers that will come in the next few days.