Yet another large scale scare story for the man in the street to worry about.
In case anybody's interested in a simple explaination:
* Yes, it is fairly easy for those with bad intent to use this to steal your information as it flows over the internet
* Yes, it is remarkably easy for website owners to fix. Any that haven't in 48 hours or so are being lazy
* It requires both the user to use an affected browser, AND the website to run affected SSL code, so if you fix your end, you won't be affected whichever sites you visit, (UNLESS the server has been compromised in another way too, but that is out of your control - ask the company running it. If they don't know, or don't care to tell you, draw your own conclusions)
* The affected browsers are basically the one built in to Android phones, and Safari
* Companies smart enough to run their servers on the latest OpenBSD would not be affected - well done those who choose this path 
- 13542 Posts
- 107 Topics
- 309 Solutions
Link?
- 128315 Posts
- 835 Topics
- 7591 Solutions
Any clear explanation about this link please? To the 'man on the street' ....ie me...it makes no sense...
- 13542 Posts
- 107 Topics
- 309 Solutions
- 128315 Posts
- 835 Topics
- 7591 Solutions
Yoda he says......Yes I know I suffer with technophobia...but even reading the opening post and then the link...I still didn't 'get it'.....Ah well....
- 13542 Posts
- 107 Topics
- 309 Solutions
@Cleoriff
Some websites vulnerable to get attacked when using old dodgy openssl and then can further attack your smartphone or other affected system using vulnerable browser by using brute force can get your info.
Easily avoidable by site owners updating or using the latest openbsd which no longer uses openssl in favour of the more secure libressl
Some websites vulnerable to get attacked when using old dodgy openssl and then can further attack your smartphone or other affected system using vulnerable browser by using brute force can get your info.
Easily avoidable by site owners updating or using the latest openbsd which no longer uses openssl in favour of the more secure libressl
- 152070 Posts
- 651 Topics
- 28925 Solutions
@viridis wrote:
@Cleoriff
Some websites vulnerable to get attacked when using old dodgy openssl and then can further attack your smartphone or other affected system using vulnerable browser by using brute force can get your info.
Easily avoidable by site owners updating or using the latest openbsd which no longer uses openssl in favour of the more secure libressl
That should clear it up nicely then 
I assumed that news and rumours would have already hit the mainstream press by the time anyone read my post 
.
In a nut shell, it's yet another one of those widespread, affects loads of websites, should have been noticed and fixed years ago bugs that's just surfaced to the wider IT industry earlier today.
It's been given a catchy name, (FREAK), and as such will probably be picked up by the media in the coming days. General fear and uncertainty will gradually spread across the country, and it will be blamed for everything bad that happens in the next week or so. If your private information is exposed, companies will justify their helplessness by pointing out that millions of sites were affected and so they were not careless.
So, lets look at the facts before getting carried away.
It's an old bug in security software used in some web browsers and some web servers.
If you use a vulnerable browser to connect to an affected website your "secure" communications COULD be observed, (passwords and activity monitored), even though you believe that they are sufficiently encrypted. In reality, whilst it's not particularly difficult, it is a little beyond the average teenage kid in his bedroom type hacker
The correct.way to fix it is for both sides, you with your browser, and the website administrator with the server to upgrade to new versions which fix the bug.
In reality, as long as ONE side is not vulnerable, the "hack" won't work, so your info cannot be intercepted.
If, however, somebody uses this "hack" to gain further entry to a particular website, (fairly difficult, but certainly possible), then they can obviously do much more, potentially accessing all sorts of private info stored there.
Web browsers affected include the Android phone browser, and Safari. For all you geeks out there, I suspect that Lynx is vulnerable too. Other browsers generally are not.
You should all contact every organisation who holds your information on-line and tell them to patch their servers against this vulnerability. It's trivial for any competent IT worker to do. No excuses. Left unpatched, eventually somebody somewhere will be defrauded. So insist that it's done.
Once a website has been upgraded to more recent software which is not vulnerable, you can connect to it using a vulnerable browser and you will not be at risk.
And as I said, any company that has the sense to run their system on the latest OpenBSD can sit back and smugly say that their website is not vulnerable.
So:
1. Don't use the Android browser or Safari to connect to secure sites, unless you know that the site is not vulnerable, or until a patch is released.
2. Tell companies who hold your data to patch their systems and don't let them be lazy about it
Does that explain it at better?
By the way, various other things like encrypted email and apps that use encrypted communications will be affected too. Depends on how they were written. Again, upgrade to the latest versions and follow advice '2' above.
