Re: Faille de sécurité Freak
Bonjour la team,
un article plus simple et plus complet sur le problème :
http://pro.clubic.com/it-business/securite-et-donnees/actualite-757073-freak-export-rsa-navigateur-ssl-securite.html
nb: je sais... un lien Clubic c'est pas très sérieux, mais il reste
abordable à la lecture pour le commun des mortels!
les recommandations officielles : https://freakattack.com/
tester son serveur : https://freakattack.com/
"If you run a web server, you should disable support for any export
suites. However, instead of simply excluding RSA export cipher suites,
we encourage administrators to disable support for _all known insecure
ciphers_ (e.g., there are export cipher suites protocols other than
RSA) and enable forward secrecy."
Pourquoi Apache :
"You see, it turns out that generating fresh RSA keys is a bit costly.
So modern web servers don't do it for every single connection. In
fact, Apache mod_ssl by default will generate a single export-grade
RSA key when the server starts up, and will simply re-use that key for
the lifetime of that server.
What this means is that you can obtain that RSA key once, factor it,
and break every session you can get your 'man in the middle' mitts on
until the server goes down. And that's the ballgame."
ref: http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html
Le mod_ssl pour APACHE :
http://httpd.apache.org/docs/current/fr/mod/mod_ssl.html
La solution est donc de désactiver le mod_ssl mis par défaut dans
Apache. Voici une solution qui semble viable :
https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html
Soit dit en passant, ce problème est connu depuis longtemps (2010 pour
cet article de sécu).
Reply to: