Le FREAK, C’est NOT Chic — (CVE-2015-0204)
In recent days, a new TLS/SSL vulnerability (CVE-2015-0204) known as FREAK has been taking the Internet by storm. It refers to a weakness in some implementations of SSL/TLS that may allow an attacker to decrypt secure communications between vulnerable clients and servers. This vulnerability is caused by the support for older, less secure cipher suites (RSA Export) and the ability for a man-in-the-middle to force the downgrade of an SSL connection. This allows the attacker to potentially view the content over a less secure communications channel. Both clients and servers are at risk, affecting multiple platforms including Windows and Linux.
Verizon Digital Media Services servers for content delivery never supported the older insecure cipher suites and are not susceptible to the types of attacks described in CVE-2015-0204.
Verizon Digital Media Services negotiates to the customer origin based on the origin server cipher suites and preferred order. We do recognize that a few customers will need to review their origin servers, to ensure the origin is also not susceptible to these types of attacks. The customers will need to disable the support of the RSA Export cipher suites and to patch their servers.
Verizon Digital Media Services has proactively contacted customers whose origin servers may be susceptible to the FREAK attack. To check the security of your server we suggest using the Qualys SSL Labs’ SSL Server Test found at https://www.ssllabs.com/ssltest/.