Blog
Data Security
Should You FREAK Out About The Newest SSL/TLS Exploit?

Should You FREAK Out About The Newest SSL/TLS Exploit?

If you have any questions, please contact SecurityMetrics support, 801.705.5700.

Updated
December 14, 2022
Posted
March 10, 2015
Cybersecurity
Audit
Security Budget
Risk Assessment
Should You FREAK Out About The Newest SSL/TLS Exploit?

Who it affects, how hackers could use it, and what you should do about it.

On March 3, 2015, a new exploit related to an old SSL/TLS vulnerability was discovered and dubbed FREAK (CVE-2015-0204). It’s name stands for Factoring Attack on RSA-EXPORT Keys and is estimated to affect 33% of HTTPS encrypted websites.

FREAK makes it easier for hackers to decode HTTPS connections, but only if a vulnerable browser connects to a web server that supports export-grade cryptography.

The problem originated in 1990 when the government required manufacturers to develop weak keys for any software/hardware exported out of the U.S. To satisfy the mandate, manufacturers designed products that offered both commercial-grade and export-grade key options. Governmental export restrictions have since been dropped, but many hardware/software versions still have export-grade cryptography.

See also: SecurityMetrics PCI Guide

Affected browsers

  • Internet Explorer
  • Chrome on Android
  • Android browser
  • Safari on Mac OS and iOS
  • BlackBerry browser
  • Opera on Mac OS X
  • Opera on Linux

Affected systems

  • All supported releases of Microsoft Windows

How does the FREAK exploit work?

The exploit is a man-in-the-middle attack which allows attackers to tamper with the unencrypted handshake protocol and force a downgrade to export-grade encryption, allowing the attacker to eventually see all website or system traffic.

Our recommendations

  • Check if your browser is safe from the FREAK attack
  • Make sure your browser is up to date, and apply patches on your systems, if needed
  • Keep your vulnerability scans up to date (SecurityMetrics vulnerability scans will flag servers that allow weak SSL ciphers, including the export level ciphers upon which this attack is based.)

SecurityMetrics vulnerability scan customers can check if their systems are vulnerable to FREAK by simply logging in and running a vulnerability scan. The scan detects weak SSL encryption, and alerts customers of any critical vulnerabilities.

If you have any questions, please contact SecurityMetrics support, 801.705.5700.

Join Thousands of Security Professionals.

Subscribe Now

Get the Guide To PCI Compliance

Download

Get a Quote for Data Security

Request a Quote
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart Inspect (PCI Req. 11.6.1)Shopping Cart Monitor (PCI Req. 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy Policy
|
Terms and Conditions
|
Your IP Address is:
000.000.000.000