How to protect your Windows machine against the FREAK hack attack

Use this fix until the Microsoft patch appears.

fix freak

Your Windows machine is vulnerable to the FREAK encryption flaw -- but there's a way to protect it. I've got the details on exactly how to do it.

In the FREAK (Factoring RSA Export Keys) flaw, a web site can be forced by a hacker to use weak encryption, and hackers can then intercept communications between your computer and the site. They can also infect the PC during the attack. It uses a man-in-the-middle attack on Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections.

Initially Windows machines were not thought to be vulnerable to it. But yesterday Microsoft issued a security advisory that said it was. The advisory warned:

Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows. Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system. The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems. When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers.

Microsoft is working on a patch that will solve the problem. Until then, though, if you're willing to get your hands dirty, there's something you can do to protect your system. You'll have to use the Group Policy Object Editor to disable the RSA key exchange ciphers that can lead to a FREAK attack. Note that Windows Server 2003 doesn't allow individual ciphers to be enabled and disabled, so this technique won't work on it.

Here are the steps the Microsoft security advisory says you should take:

1. At a command prompt, type gpedit.msc and press Enter to start the Group Policy Object Editor.

2. Expand Computer Configuration, Administrative Templates, Network, and then click SSL Configuration Settings.

3. Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.

4. In the SSL Cipher Suite Order pane, scroll to the bottom of the pane.

5. Follow the instructions labeled How to modify this setting, and enter the following cipher list:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

6. Click OK.

7. Close the Group Policy Object Editor and then restart your computer.

Related:
ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon