PATCH FREAK NOW: Cloud providers faulted for slow response
Hundreds of cloud providers are still vulnerable to the serious FREAK cryptographic vulnerability. Skyhigh Networks found that 766 cloud services are still at risk 24 hours after FREAK was made public, based on an analysis of more than 10,000 different services. The average company is using 122 potentially vulnerable services …
COMMENTS
-
Thursday 5th March 2015 23:15 GMT Stephen Booth
Patch?
I think "Patch" implies that the software binary needs to be updated in the cloud providers. Thats misleading.
The bug is in the browsers. If the server is CONFIGURED to allow weak ciphers to be negotiated then a man-in-the-middle attach can be used to force a buggy browser to negotiate a weak cipher even if it is configured not to.
The server can prevent this from happening by a configuration change only. Of course removing support for weak ciphers in future releases is also a good idea. It also means that its even more unforgivable that services are sill accepting these obsolete ciphers because it just means nobody bothered to change a config file.
-
Friday 6th March 2015 00:34 GMT Anonymous Coward
Re: Patch?
A patch is a patch, regardless if its victim is a binary or text file....but I know what you mean.
Anyways, just how much of this "cloud" is yours when you can't configure this yourself? I *thought* you had full control over your "cloud"? Why would you want a "cloud" otherwise...just storage?
-