Results 1 to 6 of 6
Like Tree1Likes
  • 1 Post By Javaphile

Thread: Secure connection vulnerability - Another good reason to use Firefox

  1. #1
    Super Moderator Javaphile's Avatar
    Join Date
    Dec 2004
    Location
    Earth!
    Posts
    15,771

    Secure connection vulnerability - Another good reason to use Firefox

    Gene Cafe Coffee Roaster $850 - Free Beans Free Freight
    Many of the top browsers are vulnerable, including IE. Firefox is not vulnerable to this exploit.

    Almost 10% of the one million top domain names are vulnerable.

    Media articles on the vulnerability: ‘FREAK’ flaw undermines security for Apple and Google users, researchers discover - The Washington Post

    BBC News - Millions at risk from 'Freak' encryption bug

    Test your browser and links to more technical information: https://freakattack.com/


    Java "Once again hurray for Firefox!" phile
    Dimal likes this.
    Toys! I must have new toys!!!

  2. #2
    Senior Member
    Join Date
    Oct 2012
    Posts
    184
    Oh deary me, out of the "top susceptible sites" this one stuck out:

    4339 nespresso.com 91.209.84.237

  3. #3
    Senior Member speleomike's Avatar
    Join Date
    Nov 2005
    Location
    Sydney
    Posts
    942
    The sys admins there need to gulp down two espresso pods of intensity 11 and get back and upgrade their SSL :-)

  4. #4
    Senior Member speleomike's Avatar
    Join Date
    Nov 2005
    Location
    Sydney
    Posts
    942
    Had a look at that list. Most of those sites I'd never be visiting except for: nsw.gov.au and telstra

    telstra.com.au
    TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 (0x60) 56 INSECURE (key size )
    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x62) 56 INSECURE (key size )
    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x64) 56 INSECURE (key size )
    They also support the use of use weak 128 bit RSA4 keys so should disable that as well.

    But there is worse to come. nsw.gov.au support a 40 bit! RSA EXPORT protocol AND they are still vulnerable to the Poodle attack AND they have a Verisign certificate that expired more than 500 days ago!
    Reference: https://sslanalyzer.comodoca.com/?url=nsw.gov.au

    Edit: optusnet.com.au just as bad

    However remember that if a site is just serving up http pages and are not using https (e.g. if they don't have any sites needing logins) then running an out-of-date or low bit SSL doesn't necessarily make the site or its clients insecure. It's only if you use a secure login and there is a man-in-the-middle.

    Mike

  5. #5
    Senior Member flynnaus's Avatar
    Join Date
    May 2008
    Location
    Sydney
    Posts
    4,116
    Quote Originally Posted by Javaphile View Post
    Many of the top browsers are vulnerable, including IE. Firefox is not vulnerable to this exploit.
    From https://freakattack.com/

    Chrome for Windows and all versions of Firefox are known to be safe

  6. #6
    Senior Member speleomike's Avatar
    Join Date
    Nov 2005
    Location
    Sydney
    Posts
    942
    ... and I just tested lynx and wget on Linux and they are vulnerable :-)
    I have no idea on why they were not listed with the other major browsers :-)

    wget https://freakattack.com/clienttest.html
    lynx https://freakattack.com/clienttest.html

    Mike



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •