Home      Download       Installation 
   SSLlocker specs     Versions     
SSLlocker's Internet Explorer FREAK Vulnerable and Non Vulnerable Tests

Internet Explorer Tests are as follows (removed _WITH_ for ease of viewing)

UPDATE Mar 10 2015 after doing the FREAK Windows update
TEST 1 Not vulnerable to FREAK or Poodle (using SSLlocker ver 1.4)

TEST 1 Vulnerable to FREAK but not Poodle (using SSLlocker ver 1.4) No Longer Applicable

Key Exchanges DH PKCS(RSA) ECDH are enabled
Ciphers NULL DES RC2 RC4 are disabled
Hash MD5 is disabled
Protocols TLS 1.0 1.1 & 1.2 are enabled SSLv3 disabled
Cipher Suites
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (0xc02c)   FS 256
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (0xc02b)   FS 128
TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (0xc024)   FS 256
TLS_ECDHE_ECDSA_AES_256_CBC_SHA (0xc00a)   FS 256
TLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (0xc023)   FS 128
TLS_ECDHE_ECDSA_AES_128_CBC_SHA (0xc009)   FS 128
TLS_ECDHE_RSA_AES_256_CBC_SHA384 (0xc028)   FS 256
TLS_ECDHE_RSA_AES_256_CBC_SHA (0xc014)   FS 256
TLS_ECDHE_RSA_AES_128_CBC_SHA256 (0xc027)   FS 128
TLS_ECDHE_RSA_AES_128_CBC_SHA (0xc013)   FS 128
TLS_DHE_DSS_AES_256_CBC_SHA256 (0x6a)   256
TLS_DHE_DSS_AES_256_CBC_SHA (0x38)   256
TLS_DHE_DSS_AES_128_CBC_SHA256 (0x40)  128
TLS_DHE_DSS_AES_128_CBC_SHA (0x32)   128
TLS_RSA_AES_256_CBC_SHA256 (0x3d) 256
TLS_RSA_AES_256_CBC_SHA (0x35) 256
TLS_RSA_AES_128_CBC_SHA256 (0x3c) 128
TLS_RSA_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_3DES_EDE_CBC_SHA (0xa) 112
TLS_DHE_DSS_3DES_EDE_CBC_SHA (0x13) 112


TEST 2 Not vulnerable to FREAK or Poodle Not an acceptable solution

Key Exchanges DH PKCS(RSA) ECDH are enabled
Ciphers NULL DES RC2 RC4 are disabled
Hash MD5 and SHA are disabled
Protocols TLS 1.0 1.1 & 1.2 are enabled  SSLv3 disabled BUT only TLS1.2 actually negotiates
Ciphers Suites
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (0xc02c)  FS 256
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (0xc02b)   FS 128
TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (0xc024)   FS 256
TLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (0xc023)   FS 128
TLS_ECDHE_RSA_AES_256_CBC_SHA384 (0xc028)   FS 256
TLS_ECDHE_RSA_AES_128_CBC_SHA256 (0xc027)   FS 128
TLS_DHE_DSS_AES_256_CBC_SHA256 (0x6a)    256
TLS_DHE_DSS_AES_128_CBC_SHA256 (0x40)    128
TLS_RSA_AES_256_CBC_SHA256 (0x3d) 256
TLS_RSA_AES_128_CBC_SHA256 (0x3c) 128


TEST 3 Not vulnerable to FREAK or Poodle Not an acceptable solution

Key Exchanges DH ECDH are enabled PKCS(RSA) is disabled (As per MS advisory 3046015)
Ciphers NULL DES RC2 RC4 are disabled
Hash MD5 is disabled
Protocols TLS 1.0 1.1 & 1.2 are enabled  SSLv3 disabled
Cipher Suites
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (0xc02c)  FS 256
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (0xc02b)   FS 128
TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (0xc024)   FS 256
TLS_ECDHE_ECDSA_AES_256_CBC_SHA (0xc00a)   FS 256
TLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (0xc023)   FS 128
TLS_ECDHE_ECDSA_AES_128_CBC_SHA (0xc009)   FS 128
TLS_ECDHE_RSA_AES_256_CBC_SHA384 (0xc028)   FS 256
TLS_ECDHE_RSA_AES_256_CBC_SHA (0xc014)   FS 256
TLS_ECDHE_RSA_AES_128_CBC_SHA256 (0xc027)   FS 128
TLS_ECDHE_RSA_AES_128_CBC_SHA (0xc013)   FS 128
TLS_DHE_DSS_AES_256_CBC_SHA256 (0x6a)   256
TLS_DHE_DSS_AES_256_CBC_SHA (0x38)    256
TLS_DHE_DSS_AES_128_CBC_SHA256 (0x40)   128
TLS_DHE_DSS_AES_128_CBC_SHA (0x32)   128
TLS_DHE_DSS_3DES_EDE_CBC_SHA (0x13)  112

Problem  Windows Schannel contains insecure outdated EXPORT ciphers which can not be disabled directly in the Windows registry without disabling other commonly used cipher suites.

Mitigation Disable SHA hashes or PKCS(RSA) key exchanges (will black hole up to 50% of HTTPS sites)

Solution Do not use Internet Explorer for HTTPS logins until Microsoft provides updates that remove the export ciphers from Schannel. Use the latest  Chrome, Iron or Firefox browsers but test them first, as versions of Chrome prior to 41 were also FREAK vulnerable. Check the up to date list of vulnerable browsers. Note: Windows XP and Server 2003 will probably never be updated. Also from a security standpoint MS should also remove Multi-Protocol Hello NULL PCT RC2 RC4 DES SSLv2 and SSLv3 completely from Schannel.

Research We are working on a possible viable solution.

Q I am using Internet Explorer but the web site I visit is not FREAK vulnerable. Am I still at risk ?
A HTTPS web sites with HTTP access on the same server using a 301 or 302 redirect from HTTP to HTTPS,
   during that redirect you could be vulnerable to MiTM attacks.

Q Are other MS apps affected ?
A Yes Remote Desktop, Terminal Server, IIS, possibly Outlook and others using Schannel

The below test scenarios apply to IE 9 through 11 on Windows 7 through 10

The tests are the results of changes made to the Windows registry in an attempt to secure IE
while allowing the highest percentage of compatibility with HTTPS web sites.

Test 1 has the best compatibility but is FREAK vulnerable (accesses over 90% of HTTPS web sites)
Test 2, and 3 are not vulnerable to FREAK (but can only access 30% to 50% of HTTPS web sites)
Test 3 is based on MS advisory 3046015. Gpedit is not available on many versions of Windows but can enabled
Test 1 redone Mar 10 2015 with the new Windows FREAK patches installed see below
Browesr FREAK test is from SmackTLS
Previous to March 9, 2015 all versions of Internet Explorer on all
versions of Windows, were vulnerable to the FREAK MiTM attack

The FREAK MiTM vulnerability has been around for two decades and only now disclosed ?
The real question is, how long has it been actively exploited ?


NEWS FLASH Mar 10 2015 Microsoft releases FREAK patches for all versions of Windows post XP
The patch works. Just do a Windows update. The other change is SSLv3 is diasbled.
2 weak ciphers still exist. They are RSA_RC4_128_SHA and RSA_RC4_128_MD5
Just use SSLocker 1.4 (no reboot required) to remove them.