(cache) Tracking the TLS FREAK Attack

On Tuesday, March 3, 2015, researchers disclosed a new SSL/TLS vulnerability — the FREAK attack. The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptogrpahy, which can then be decrypted. There are several posts that discuss the attack in detail: Matt Green, The Washington Post, and Ed Felten.

A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204. Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.

This site focuses on tracking the impact of the attack. See below for:

RSA Export Suite Statistics
Popular Sites that Allow RSA Export Suites
Client Test
Sysadmin Guide (coming soon!)

The FREAK attack was originally discovered by Karthikeyan Bhargavan at INRIA in Paris and the mitLS team. Further disclosure was coordinated by Matthew Green. This report is maintained by computer scientists at the University of Michigan, including Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J. Alex Halderman. The team can be contacted at zmap-team@umich.edu.

What servers are affected?

Websites that support RSA export cipher suites (e.g., TLS_RSA_EXPORT_WITH_DES40_CBC_SHA) are at risk to having HTTPS connections intercepted. In order to track the impact of the FREAK attack, we have been performing scans of the IPv4 address space and completing TLS handshakes with responsive shots. In these handshakes, we only offer RSA export suites. We have posted a list of Alexa domains that support any RSA export cipher suites at the bottom of the page bottom of the page.

Alexa Top 1 Million	12.2%
Browser Trusted Sites	36.7%
Full IPv4 Address Space	26.3%

What should I do?

If you run a web server, you should disable support for any export suites. However, instead of simply excluding RSA export cipher suites, we encourage administrators to disable support for all known insecure ciphers (e.g., there are export cipher suites protocols beyond RSA) and enable forward secrecy. Mozilla has published a guide and SSL Configuration Generator, which will generate known good configurations for common servers. You can check whether your site using the SSL Labs' SSL Server Test.

Alexa HTTPS Sites that support RSA Export Suites

The following websites in the Alexa Top 10K support RSA Export Suites as of Tuesday, March 3, 1:00 AM EST. We urge these sites to drop support for export suites. The full list of domains is available here.

Alexa Rank	Domain	Address Tested
27	sohu.com	123.125.116.19
182	businessinsider.com	64.27.101.155
234	ppomppu.co.kr	110.45.151.212
243	smzdm.com	114.113.158.226
247	americanexpress.com	23.13.171.41
251	jabong.com	23.203.7.176
273	groupon.com	184.26.49.170
290	bloomberg.com	69.191.212.191
442	4shared.com	208.88.224.136
448	npr.org	216.35.221.76
519	hatena.ne.jp	59.106.194.19
615	instructables.com	74.50.63.27
629	airtel.in	125.19.135.93
649	kohls.com	23.202.240.45
767	adplxmd.com	205.186.187.178
795	mit.edu	23.202.254.127
799	tinyurl.com	23.220.249.147
808	suning.com	122.228.85.93
820	saramin.co.kr	182.162.86.29
891	vi-view.com	50.97.32.135
903	itau.com.br	23.38.106.190
951	huaban.com	115.238.54.162
959	zomato.com	54.151.251.33
960	nationalgeographic.com	74.217.81.233
999	marriott.com	23.45.45.5
1001	jobrapido.com	46.105.106.82
1029	forever21.com	23.202.233.118
1089	wiocha.pl	195.225.138.234
1150	axisbank.com	119.226.139.40
1180	clarin.com	200.42.136.212
1236	mgid.com	208.94.232.200
1247	jcpenney.com	23.49.180.228
1261	wowhead.com	23.199.195.58
1297	gaana.com	223.165.30.26
1313	mtime.com	59.151.32.20
1360	refinery29.com	50.22.34.136
1361	vente-privee.com	185.45.180.3
1364	ynet.co.il	192.115.80.55
1383	dhgate.com	124.42.15.198
1411	vesti.ru	80.247.32.206
1424	adxcore.com	188.165.36.101
1456	sweet-page.com	50.97.32.133
1484	binaryprofessional.com	50.7.157.122
1502	globososo.com	184.173.140.162
1571	estadao.com.br	23.199.200.37
1573	jcrew.com	23.37.8.44
1586	17173.com	220.181.90.240
1599	bmi.ir	89.235.64.67
1620	zdnet.com	50.112.160.88
1628	jugem.jp	210.172.182.89
1646	accountonline.com	192.193.200.101
1662	umich.edu	141.211.243.44
1680	cornell.edu	128.253.173.241
1684	lg.com	165.244.62.23
1693	uludagsozluk.com	188.132.225.181
1722	yixun.com	111.30.131.20
1738	priceminister.com	212.23.167.62
1856	ibtimes.co.uk	64.147.114.55
1860	extra.com.br	23.221.0.145
1864	jiameng.com	117.78.2.204
1866	ihg.com	23.202.251.213
1878	miui.com	42.62.48.148
1902	syosetu.com	111.64.91.10
1915	thrillist.com	50.57.33.153
1928	dealmoon.com	198.23.88.242
1978	alice.it	217.169.121.227
1986	ansa.it	194.244.5.206
1995	duba.com	114.112.93.100
2014	leparisien.fr	95.131.142.225
2015	copyscape.com	212.100.239.219
2025	ana.co.jp	202.224.1.7
2031	suumo.jp	160.17.3.13
2035	unam.mx	132.248.10.44
2040	aruba.it	62.149.188.154
2047	gg.com.ua	213.227.192.135
2054	eltiempo.com	200.41.9.39
2064	timesjobs.com	115.112.206.11
2092	mashreghnews.ir	94.182.146.23
2106	alfabank.ru	195.218.200.205
2164	pontofrio.com.br	23.221.11.242
2170	gobizkorea.com	211.119.134.217
2185	delfi.lt	91.234.200.113
2194	epnet.com	140.234.254.41
2199	bigrock.in	103.21.58.212
2217	ohmyzip.com	216.176.192.139
2317	indiocasino.com	212.64.147.151
2326	doctissimo.fr	85.116.34.4
2342	monsterindia.com	220.226.205.30
2377	cafe24.com	222.122.205.172
2382	sedo.com	82.98.86.183
2404	famitsu.com	202.90.182.200
2413	lolking.net	23.199.195.58
2421	jstor.org	198.108.24.38
2436	literotica.com	216.150.65.200
2437	56.com	59.32.213.232
2448	incruit.com	121.254.160.232
2462	tradeindia.com	14.140.161.58
2464	taikang.com	116.58.220.1
2493	lvmama.com	114.80.83.166
2512	keywordblocks.com	50.58.197.14
2529	itv.com	193.35.9.65
2531	wannonce.com	188.165.15.58
2559	rotoworld.com	64.210.192.54
2560	ponparemall.com	160.17.4.128
2593	ole.com.ar	200.42.93.137
2605	ipeen.com.tw	60.199.195.197
2631	hotelurbano.com	107.23.208.36
2659	337.com	174.36.254.166
2687	coolenjoy.net	222.237.78.174
2693	mafengwo.cn	119.254.76.148
2702	education-portal.com	207.97.195.109
2765	beitaichufang.com	182.18.17.202
2767	dailybasis.com	68.169.73.82
2780	made-in-china.com	72.32.82.237
2796	casasbahia.com.br	23.221.16.216
2821	suntimes.com	64.94.90.42
2823	talktalk.co.uk	62.24.150.2
2843	gocomics.com	66.6.101.183
2853	weathernews.jp	211.8.49.106
2863	mk.co.kr	220.73.139.201
2875	cnyes.com	211.72.252.30
2879	giga.de	80.86.80.168
2880	www.net.cn	42.156.140.7
2897	marksandspencer.com	23.203.7.229
2901	twitcasting.tv	202.234.23.144
2955	wmmail.ru	185.15.210.21
2964	infibeam.com	180.179.101.143
2975	seobook.com	207.97.249.100
2995	dv37.com	218.5.238.175
3102	olleh.com	183.110.184.90
3113	tenpay.com	112.90.82.140
3142	testberichte.de	62.146.104.29
3158	motorola.com	144.188.128.101
3163	sidereel.com	173.247.105.225
3280	ehanex.com	203.251.153.26
3295	nsw.gov.au	203.3.232.71
3305	santander.com.br	23.202.248.145
3315	usajobs.gov	23.13.162.35
3318	hola.com	62.22.171.50
3344	1hai.cn	222.73.36.200
3366	sbicard.com	59.144.22.1
3367	focus.cn	123.126.104.8
3375	5usport.com	113.105.142.200
3385	bouyguestelecom.fr	84.37.9.183
3415	afreeca.com	121.125.76.89
3442	khan.co.kr	203.234.148.252
3449	enuri.com	124.243.126.244
3451	lan.com	67.15.147.205
3455	wechat.com	203.205.142.141
3502	jorudan.co.jp	210.168.27.165
3515	afkarnews.ir	5.144.129.189
3526	whitehouse.gov	23.13.176.110
3542	19lou.com	115.236.99.92
3543	yinyuetai.com	117.79.131.138
3583	rs-online.com	80.169.5.117
3604	mediaite.com	69.60.14.234
3611	persianv.com	5.144.130.216
3614	hypebeast.com	50.112.144.237
3618	ilmessaggero.it	85.18.214.171
3636	pc6.com	220.162.97.209
3646	am15.net	95.213.156.90
3653	trafficshop.com	78.140.142.21
3670	kuwo.cn	221.238.18.58
3687	bankrate.com.cn	211.151.169.36
3689	marketgid.com	87.242.88.80
3731	tribalfusion.com	204.11.109.195
3759	techinasia.com	50.97.236.4
3780	freemail.hu	195.228.245.1
3804	delfi.lv	62.63.137.6
3849	lenskart.com	54.254.151.162
3867	pcfaster.com	180.76.2.25
3914	dinodirect.com	184.173.225.136
3954	gearbest.com	50.97.75.179
3981	nordstromrack.com	23.220.249.107
3982	rincondelvago.com	198.64.137.53
4021	honda.com	164.109.25.194
4042	cjmall.com	210.122.101.150
4072	juntadeandalucia.es	217.12.24.33
4099	standardbank.co.za	196.8.136.20
4152	dominos.co.in	202.87.34.218
4158	virginia.edu	128.143.22.36
4161	backlinkwatch.com	74.204.189.20
4178	sec.gov	23.202.222.140
4247	subscribe.ru	81.9.34.191
4298	nespresso.com	91.209.84.237
4300	delfi.ee	185.20.100.249
4307	gingersoftware.com	173.231.146.230
4349	androidpit.com	54.80.50.197
4364	ria.com	213.95.148.25
4400	topshop.com	23.221.16.184
4402	veoh.com	69.167.127.57
4493	recruit.co.jp	160.17.7.22
4496	mamaclub.com	61.64.53.205
4533	eldiario.es	37.46.75.24
4554	alriyadh.com	89.189.232.23
4563	mca.gov.in	14.140.191.120
4567	linkprice.com	222.236.44.131
4599	weather.gc.ca	205.189.10.44
4615	ets.org	144.81.88.152
4623	funweek.it	151.1.71.171
4632	ip138.com	61.140.13.87
4637	virtualedge.com	74.205.242.20
4641	kaixin001.com	220.181.103.141
4661	yes24.com	61.111.13.101
4666	shueisha.co.jp	210.133.105.162
4669	sofmap.com	61.204.171.132
4723	pearltrees.com	93.184.35.40
4728	pearson.com	159.182.33.151
4753	mzamin.com	66.226.79.63
4763	nova.cz	88.86.114.130
4787	gongkong.com	59.151.1.94
4793	propellerads.com	78.140.145.203
4796	tamin.ir	80.191.79.22
4854	entekhab.ir	94.182.146.40
4868	lefrecce.it	23.72.46.92
4872	trafficholder.com	64.111.214.2
4926	utoronto.ca	142.150.210.7
4957	syosetu.org	133.242.85.51
4985	sleazyneasy.com	68.169.101.206
5045	ohio.gov	156.63.96.228
5055	katestube.com	64.188.53.206
5068	filmstarts.de	62.39.143.50
5110	jahannews.com	87.107.52.140
5134	mangocity.com	121.34.253.140
5141	googleping.com	208.109.97.183
5189	e-rewards.com	63.241.211.118
5231	hostgator.in	103.21.59.167
5232	key-find.com	50.97.32.136
5233	dereferer.org	195.234.228.80
5235	fishmpegs.com	68.169.73.82
5379	germanbankersecrets.org	50.7.157.122
5385	markt.de	213.95.6.42
5411	beyond.com	68.168.84.50
5429	labirint.ru	194.84.83.148
5546	ponpare.jp	160.17.13.128
5564	epost.go.kr	211.250.131.141
5583	dir.bg	194.145.63.12
5592	gem.pl	85.232.225.226
5605	vikatan.com	180.150.140.172
5613	voici.fr	89.31.150.122
5662	umeng.com	211.151.151.6
5667	porsche.com	84.21.48.97
5719	townwork.net	160.17.2.8
5785	sublimetext.com	209.20.75.76
5803	advego.ru	95.163.127.68
5806	parkoz.com	211.115.209.190
5862	33lc.com	183.136.217.13
5873	game321.com	37.58.67.11
5877	ekitan.com	125.29.62.70
5888	lufax.com	222.73.151.131
5919	orange.es	62.36.20.46
5945	element14.com	83.100.177.204
5948	totheglory.im	38.83.103.226
5950	alltop.com	184.106.130.115
5965	canadiantire.ca	205.210.17.105
5995	startlap.com	77.111.91.52
6013	yootheme.com	188.226.251.160
6028	rd.com	54.235.221.229
6030	24ur.com	91.202.65.190
6060	findthebest.com	54.215.14.104
6098	seoul.co.kr	211.169.247.231
6157	draftkings.com	23.203.3.237
6226	usnetads.com	74.208.192.200
6244	sciencealert.com	119.81.53.4
6275	elnuevodia.com	196.32.153.146
6310	designspiration.net	64.207.147.221
6399	dreammail.jp	106.187.122.190
6427	epson.co.jp	203.179.25.109
6538	infor.pl	193.164.157.245
6574	minijuegos.com	217.13.124.222
6578	beyazperde.com	62.39.143.50
6582	artlebedev.ru	195.218.200.11
6591	bluestacks.com	208.66.135.54
6595	makeupalley.com	69.60.134.134
6599	themalaysianinsider.com	203.223.159.194
6617	soaindo.com	119.81.21.170
6623	cr173.com	218.6.111.42
6630	techgig.com	115.112.206.15
6665	rtl.be	81.92.238.91
6690	myfxbook.com	108.163.193.212
6764	shinhancard.com	210.112.177.1
6786	stamps.com	216.52.211.93
6822	nissan.co.jp	150.63.3.21
6835	wsodownloads.info	185.66.140.67
6873	todaysppc.com	61.100.186.155
6879	hanjin.co.kr	203.251.153.29
6904	freedigitalphotos.net	95.138.157.18
6945	wikimart.ru	195.208.182.2
6953	femina.hu	195.228.155.84
6984	mps.it	195.7.19.86
6994	pasionlibertadores.com	184.105.139.44
6995	hellomagazine.com	62.22.15.85
7045	leggo.it	85.18.214.165
7069	cpmfx.com	81.4.124.18
7096	n4hr.com	184.173.179.185
7105	83suncity.com	122.152.179.70
7108	dip.jp	61.197.187.238
7177	rzeczpospolita.pl	217.149.245.170
7180	cue-monitor.jp	210.227.82.43
7181	yengo.com	124.109.3.27
7194	chanet.com.cn	211.151.83.246
7206	daniweb.com	74.53.219.188
7221	2nn.jp	218.219.149.44
7229	ad-center.com	208.99.88.30
7247	mg.gov.br	200.198.22.138
7248	correos.es	193.148.158.218
7251	thegeekstuff.com	173.192.49.107
7269	plan-q-secret.com	188.165.35.54
7288	geeksforgeeks.org	119.18.54.25
7319	themarysue.com	69.60.24.234
7344	t3n.de	94.198.61.181
7394	savenkeep.com	81.88.48.82
7421	subtitles.at	212.124.121.146
7430	lordandtaylor.com	69.10.139.22
7528	brown.edu	128.148.252.129
7568	trojmiasto.pl	193.104.50.210
7579	qianxs.com	211.144.120.28
7661	telenet.be	84.116.34.18
7665	183.com.cn	211.156.219.109
7698	mumsnet.com	87.246.123.17
7722	ripoffreport.com	192.225.215.36
7751	netcombo.com.br	201.6.19.16
7753	copytraderpro.com	50.7.157.122
7763	planalto.gov.br	189.9.37.9
7780	gyakorikerdesek.hu	91.198.131.12
7806	jeep.com	129.9.76.228
7871	lyricsmode.com	178.18.22.163
7902	streetdirectory.com	54.169.90.138
7907	x3xtube.com	64.111.213.29
7909	networksolutionsemail.com	205.178.146.50
7912	fbdownloader.com	54.245.81.123
7918	mobypicture.com	174.129.227.239
7924	calcalist.co.il	192.115.80.66
7946	vw.com.tr	217.68.221.221
7954	madewell.com	172.225.14.232
7967	5pao.com	61.140.13.81
7971	toodledo.com	72.4.112.214
7975	sensacine.com	62.39.143.50
7992	linksys.com	66.161.11.90
8074	standardmedia.co.ke	212.100.244.246
8080	eurobank.gr	193.58.70.3
8095	coocan.jp	202.248.237.141
8114	coach.com	23.202.227.155
8138	macmillandictionary.com	195.138.194.22
8163	deser.pl	80.252.0.132
8174	vno.co.kr	121.162.155.183
8185	gordonua.com	91.224.10.20
8198	russia.tv	80.247.32.206
8264	doortodoor.co.kr	61.33.235.20
8272	bluetradingonline.net	50.7.157.122
8315	diegrossechance.net	50.7.157.122
8318	translate.ru	62.152.52.123
8321	cnsnews.com	199.175.56.184
8327	jn.pt	80.251.169.146
8398	restorationhardware.com	23.202.192.45
8401	pcgameshardware.de	62.146.104.132
8407	escapadarural.com	176.31.247.181
8421	baharnews.ir	87.107.133.77
8427	transrush.com	113.106.94.46
8428	iporter.com	222.239.73.34
8441	davidsbridal.com	208.74.49.181
8496	ucr.edu	138.23.226.208
8517	gaymaletube.com	64.188.56.183
8536	ecpic.com.cn	116.228.143.177
8538	mbusa.com	141.113.146.23
8551	uploadbaz.com	188.138.1.98
8590	auto-profit-replicator.com	198.154.200.85
8598	pinkvilla.com	174.129.200.25
8608	priberam.pt	62.28.135.67
8613	newsen.com	27.1.17.135
8635	caclubindia.com	67.227.132.46
8644	parsine.com	94.182.146.66
8662	unionpaysecure.com	173.223.54.31
8668	streamay.com	192.3.181.74
8671	onenote.com	23.13.167.6
8707	vertex42.com	216.177.136.65
8710	ynetnews.com	192.115.80.66
8719	nielsen.com	138.108.20.122
8727	unext.jp	125.63.43.78
8762	locanto.com	89.19.234.51
8852	real.gr	62.1.44.131
8869	ca.com	23.202.241.108
8967	iesa.co	50.31.86.60
8969	kotree.com	121.254.168.49
9005	ytn.co.kr	183.111.158.30
9026	polskieradio.pl	195.245.217.50
9049	bolsademulher.com	178.32.160.243
9084	daringfireball.net	199.192.241.217
9137	wileyplus.com	199.171.200.191
9139	360game.vn	49.213.127.67
9171	photo.net	64.95.64.39
9191	wordtracker.com	148.251.89.68
9293	senate.gov	23.202.229.166
9302	twitpic.com	173.236.110.98
9345	femina.mk	217.16.95.60
9353	automaticmobilecash.com	75.98.168.189
9385	patriots.com	216.235.243.188
9389	hatelabo.jp	59.106.194.34
9483	ddo.jp	219.94.135.204
9509	closermag.fr	83.231.216.103
9547	bharatiyamobile.com	72.167.40.178
9594	brokenlinkcheck.com	96.43.131.30
9678	hungryapp.co.kr	115.68.64.57
9698	bradesconetempresa.b.br	200.155.86.35
9763	hitosara.com	125.63.40.49
9771	ui.ac.id	152.118.24.181
9787	3987.com	125.90.204.48
9821	heydouga.com	65.39.253.110
9849	soccerline.co.kr	112.175.88.170
9903	webike.net	125.206.119.33
9905	flyme.cn	113.108.229.220
9911	temple.edu	155.247.166.60
9915	belluna.jp	23.13.174.254
9931	deichmann.com	145.253.207.220
9962	ntt.com	210.226.39.112
9964	shafaf.ir	94.182.146.19
9966	twitterfeed.com	128.241.116.5
9967	librus.pl	46.248.183.21

Tracking the FREAK Attack

What servers are affected?

What should I do?

Alexa HTTPS Sites that support RSA Export Suites