Is Your Browser Safe From FREAK?

toggle-button

In the dim and distant past of the internet, around 15 years ago, the United States Government made it illegal for US companies to export software that included strong encryption. IE, encryption that couldn't be cracked by the US's own security and intelligence agencies. Encryption algorithms were classed as munitions, and were illegal to export.

Although those rules have now been relaxed, most internet servers and web browsers still include the old encryption algorithms built in, even though most of them are rarely used. But recently it was discovered that many internet-based systems can be easily fooled into enabling the old, insecure encryption systems rather than using the newer ones. In the case of SSL, which encrypts your credit card information or bank details when you log onto a financial web site, this means that a hacker who intercepted the transmission could crack the password in around 7 hours.

The flaw, known as FREAK, affects many major web browsers on both Windows, iPad, iPod and Android. The best way to protect yourself is to ensure that, whatever platform you use, you keep an eye out for any security fixes issued by software vendors and that you install them as soon as possible. If you don't already have automatic updates enabled in Windows, do it now.

Meanwhile, you can check if your browser is vulnerable by going to https://freakattack.com which will give you an instant indication. In my case, Chrome passed the test but Internet Explorer did not. So you can guess which browser I'll be using for the moment.

Please rate this article: 

Your rating: None
4.117645
Average: 4.1 (17 votes)
toggle-button

Comments

Rob, the unexplained red "Warning" image, taken out of the context of its source page, seems confusing to me.

Alternatives:
- a screen image of the freakattack site;
- along with the "Warning" image, add the blue "Good News" image;
- explain what possible results to expect at the freakattack site.

I use Windows 7/64 Pro and was foun to be susceptible to the "Freak." I went to the Freak site and found the link to the recommended fix from Microsoft. My OS is no longer in danger. Thanks Gizmo for this heads up and to all other commenters for your valuable insights. What a team!

Firefox 36.0.1, Opera 12.17 (not that new Chrome-based abortion) and Vivaldi beta all show safe.

MS is offering a work-around cipher list modification but the instructions don't state whether it's to be added to the existing list or replace it. Anyone have any thoughts?

SRWare Iron v. Version 40.0.2150.0 passes

Thanks for this. Pale Moon passed with no problems.

AVAST was the problem on CHROME Version 43.0.2323.2 canary (64-bit).

Hmm.. My Firefox (latest version 36.0.1) showing as NOT safe. Windows 7 32 bit. Anyone have any ideas?

UPDATE: After a bit of searching, it turns out that Avast AV's Web Shield was responsible for the failure messages. Turning off Web Shield resulted in a Pass test result.

Thanks for the comments and suggestions. Love this site.

Weird, my main laptop is Win8 64bit. Older Firefox 31.0, because I'm tired of updates disabling my addons.

It says I'm safe from FREAK!

So why would a newer version be unsafe?

Maybe you've got a bad addon?

===================

I'll check my other puters later. I need to get back to housework now.

Well, I ran Firefox in safe mode with the same results. Did a complete uninstall/reinstall, with no plug-ins or add-is, and again, the same failing results.

Tried the portable version of Pale Moon (thanks Aninnymous), and it passes. Weird.

I'm betting that most Firefox users here are running the 64 bit version? My Windows 7 is only 32 bit.

PaleMoon (a firefox clone) is fine - I just checked. I would suggest you try it out in any case. All of your Firefox plugins and extensions should run fine. It does not have any of the recently objectionable alterations made to Firefox.

http://www.palemoon.org/download-ng.shtml

The problem has been known about for many years, and software vendors are now rapidly working on patches. The best advice, I think, is to continue using the internet as you always have, but to make sure that you always install any security updates as soon as they are released.
Apple fixed the problem with "Security Update 2015-02" for OS X and also with the release of iOS 8.2 in the last couple of days. I expect that Microsoft will address the issue in the next batch of "Patch Tuesday" Windows Updates

Ha! My Firefox is safe. Why aren't you praising Firefox? A little Foxism?

How did it fail bernardz,if you clicked on the link and it did not load, Chrome passed the test.

davy how could your chrome pass the tes if it did not load? chrome certainly failed with me both in android and win8 however there is an interesting comment here on this test website that " Update: Firefox users who get reports that their system is vulnerable may want to check if add-ons or security software is interfering with the process. Ghacks reader Torro noticed that Avast's Web Shield was the cause for vulnerability reports in his version of Firefox." I have a feeling it is either not a good test or there is something more then the browser.

This is what is on the webpage.When I click on the link it does not load,meaning Chrome is secure as it did not go to the page.(Whoops! Your browser might be incompatible with our automatic vulnerability test. If this link loads without errors, you're vulnerable.)

Are you running by any chance an old version of windows because I get the same issue with firefox on VISTA running AVG

I am using Chrome on Windows 7 64bit.It passed the test.

Google Chrome version 41.0.2272.76 m (64-bit) for Windows passed the test here.

danielson, clearly it is not as simple as just the browser on this page it states now "Chrome for Windows and all versions of Firefox are known to be safe. However, even if your browser is safe, certain third-party software, including some anti-virus products and adware programs, can expose you to the attack by intercepting TLS connections from the browser. If you are using a safe browser but our client test says you’re vulnerable, this is a likely cause. In addition to browsers, many mobile apps, embedded systems, and other software products also use TLS. These are also potentially vulnerable if they rely on unpatched libraries or offer RSA_EXPORT cipher suites."
Interestingly both firefox and Palemoon with me passed the test, but my Chrome did not. I updated chrome to the latest version, and it still did not pass. So I uninstalled Chrome, re-installed a fresh copy and doubled checked that I had the latest copy Version 41.0.2272.76 m and it still failed. As far as Internet explorer, it failed, but as I never use it, so I do not care. I also decided to check it on my android, firefox passed the test but chrome failed there too.

You can try the Chromium alternatives. There are many but I like Comodo Dragon which is somewhat optimized for security but runs all Chrome extensions & plugins that I have tried.

https://www.comodo.com/home/browsers-toolbars/internet-products.php