PSIRT Advisory

TLS FREAK Attack

Description

FREAK is an attack on SSL/TLS, which allows "Man in the Middle" attackers to decipher and alter HTTPS connections between a server supporting "export-grade" cipher suites and a vulnerable client.
It consists in downgrading the connection's encryption from "strong" RSA to "export-grade" RSA, by leveraging a vulnerability (CVE-2015-0204) on the client side.
The "export-grade" encryption is weak enough to be broken by the attacker, who can then decipher and alter the connection.

Impact

Information disclosure