Reply to post: WTF?

FREAK show: Apple and Android SSL WIDE OPEN to snoopers

Badvok
Flame

WTF?

Amazing how many commentards log into a web site that says "you're vulnerable" and believe it.

This article refers to report that conflates two very different but slightly related vulnerabilities that most here would appear not to have a clue about.

Yes, some browsers are susceptible to CVE-2015-0204, but that flaw actually just means that if you're connecting to a server that decides to degrade the temporary key to export grade then you will not know about it. This is a server problem and is not possible with a man-in-the-middle attack unless your browser's root keys are also compromised. The only issue with the browser is that it continues without telling you.

However, browsers still supporting export grade keys when negotiating security is a big problem and it would be nice to have some idea of how big. Unfortunately dumb sites that conflate the two problems are worse than useless.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon