Re: OpenSSL FREAK vulnerability, CVE-2015-0204

From: Loganaden Velvindron <loganaden_at_gmail.com>
Date: Mon, 9 Mar 2015 13:45:40 +0400

On Mon, Mar 9, 2015 at 1:20 PM, S Moonesamy <sm+mu_at_elandsys.com> wrote:
> Hi Ish,
> At 10:22 08-03-2015, Ish Sookun wrote:
>>
>> Strangely, the CERT-MU website[1] speaks openly about the hand of NSA[2]
>> in the FREAK vulnerability[3] affecting OpenSSL while mainstream websites
>> have avoided the same.
>
>
> The Mauritian National Computer Security Incident Response Team article
> lists three sources. All three sources point to the same news article.
>
> I gather that you are referring to the following:
>
> "The FREAK problem dates back to a time when the US government had
> instituted
> a policy of only exporting weak crypto overseas to ensure the NSA could
> decrypt foreign communications; sale of strong encryption technology
> overseas was banned."
>
> That paragraph was copied from the news article and pasted into the CERT-MU
> web site article. That articles does not credit the researchers who
> discovered the vulnerability.
>
> This is a test with www.lemauricien.com:
>
> New, TLSv1/SSLv3, Cipher is EXP-DES-CBC-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : SSLv3
> Cipher : EXP-DES-CBC-SHA
>

Seems to be vulnerable to POODLE ...


> Regards,
> S. Moonesamy
>



-- 
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.
Received on Mon Mar 09 2015 - 09:45:53 PST

This archive was generated by hypermail 2.3.0 : Mon Mar 09 2015 - 09:54:01 PST