The FREAK Attack

I’d like to start off by saying that I’m no cyber-security expert. I was doing some reading on attacks that can be done to a website when I came across the FREAK attack documented here. To quote the site, the attack

…allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data

Eager to see if I was vulnerable to this I found this online tool and ran my site (hosted by Netlfiy). It told me that I was vulnerable and that to fix it I needed to

Upgrade the OpenSSL version to at least 1.02

Is this something that I should be concerned about? Or that I can fix myself? How do I proceed here as I think I’m naturally concerned that my site is reported to be vulnerable to an attacked discovered in 2015.

hey @simeon9696, thanks for checking in on this! Of course we want you to have the most up to date site security - thats good for you, and good for us.

I am not an expert on this topic - and the person who i might ask is out today, but I will follow up and let you know.

Hi @simeon9696 and thanks for the ping!

As far as I can tell that tool says explicitly that you are not vulnerable:

Not sure why it then gives you information for eliminating a vulnerability you don’t have, but I think that is what the note about openssl is: for people who are vulnerable, e.g., not you and us.

If you read it differently let me know and I’ll be happy to have our security team take a closer look, but we generally aim for “A+” ratings from the third party Qualy’s SSL Labs site for our SSL service, and that’s where we seem to be today (including for your site: - and that generally means there aren’t any major attackable problems in our TLS implementation.

Hi @fool thanks for getting back to me so quickly! I’ve noticed that you used purely the domain in your test and not the entire link (https:// etc etc)

If I run the test with the domain I get your result

But if I use the full link it reports that I’m vulnerable

I definitely don’t understand why this is happening. Would you be able to shed some light on that? The stellar A+ rating on Qualy’s SSL Labs site does put my mind at ease however. So thank you for that.

My reading is that the testing tool wants only a hostname, and when you give it something else, like a URL, or garbage (I just typed: h:/ and got the same result as you), then it’ll tell you something is wrong, regardless of your input.

I do not think you, or we, are vulnerable.