MacLemon

Unixy on the fruity side

TLS FREAK Attack

Status of the TLS FREAK (CVE-2015-204) vulnerability on OS X and iOS.

This vulnerability allows a downgrade of encrypted SSL and TLS connections to insecure ciphers that can be broken to eavesdrop on your communication. This does not only affect web browsers but all applications on all versions of OS X and iOS.

Update 2015-03-09 At this time there is no software update available from Apple that fixes this vulnerability.

Apple has provided security Updates: * iOS 8.2 * Security Update 2015-02 for * OS X 10.8.5 Mountain Lion * OS X 10.9.5 Mavericks * OS X 10.10.2 Yosemite

All older releases of iOS and OS X will remain vulnerable forever.

Testing

You can learn more about the technical details and vulnerable websites as well as test any web browser by visiting https://freakattack.com/

Status of Web Browsers on OS X

Exploitable (Do not use these Browsers)

  • Safari (all versions available)
  • Opera 27.0.1689.76
  • Opera Next BETA 26.0.1656.8

All applications that use Apple’s “SecureTransport” for SSL/TLS connections which is pretty much everything you run on OS X including Mail, iTunes, App Store, Calendar, Address Book, etc.

Seem to be OK

  • Chromium 42.0.2292.0 (64-bit) (Canary)
  • Chrome 41.0.2272.76 (64-bit)
  • Opera 23.0.1522.77
  • Opera Next BETA 28.0.1750.15
  • Opera Next BETA 28.0.1750.36
  • Firefox 36
  • Tor Browser 4.0.4
  • Firefox Developer Edition 37.0a2 (2015-01-19) (Aurora)
  • Firefox Developer Edition 38.0a2 (2015-03-04) (Aurora)

Inconclusive

  • Chromium 38.0.2125.122 (290379)

Status of Web Browsers on iOS

Exploitable (Do not use these browsers)

This applies to all versions of iOS and Apps. Testing was done on iOS 8.1.3 with all apps on the current version available in the iOS App Store.

This vulnerability affects all apps on iOS that do not specifically take counter measures!

  • Safari
  • iCab mobile
  • Opera Mini
  • AirWeb
  • Built in browsers and web views in any app
  • 1Password integrated Browser

Seems to be OK

  • Chromium

Inconclusive

  • Onion Browser

Recommendations

Refrain from using exploitable browsers until Apple has released a Security-Update that fixes the vulnerability. Keep all 3rd party browsers updated. Contact your sysadmins and service providers to make sure other servers like mail, jabber, calendar, contacts, etc. have been patched as well!

If you have any other browsers tested, please contact me so I can add the details. Using Twitter is fine as well!