Re: OpenSSL FREAK vulnerability, CVE-2015-0204

From: S Moonesamy <sm+mu_at_elandsys.com>
Date: Mon, 09 Mar 2015 02:20:48 -0700

Hi Ish,
At 10:22 08-03-2015, Ish Sookun wrote:
>Strangely, the CERT-MU website[1] speaks openly about the hand of
>NSA[2] in the FREAK vulnerability[3] affecting OpenSSL while
>mainstream websites have avoided the same.

The Mauritian National Computer Security Incident Response Team
article lists three sources. All three sources point to the same news article.

I gather that you are referring to the following:

   "The FREAK problem dates back to a time when the US government had
instituted
    a policy of only exporting weak crypto overseas to ensure the NSA could
    decrypt foreign communications; sale of strong encryption technology
    overseas was banned."

That paragraph was copied from the news article and pasted into the
CERT-MU web site article. That articles does not credit the
researchers who discovered the vulnerability.

This is a test with www.lemauricien.com:

   New, TLSv1/SSLv3, Cipher is EXP-DES-CBC-SHA
   Server public key is 2048 bit
   Secure Renegotiation IS supported
   Compression: NONE
   Expansion: NONE
   SSL-Session:
       Protocol : SSLv3
       Cipher : EXP-DES-CBC-SHA

Regards,
S. Moonesamy
Received on Mon Mar 09 2015 - 09:21:12 PST