On Tue, Mar 10, 2015 at 08:44:57AM +0000, Christian Georg wrote: > I understand that the downgrading of the ciphersuites is a bug in the > library that should be patched. Doing this can however be dificult when > talking about mobile apps that use OS Libraries. From my understanding > the bug only works within the limit of chipersuites permitted by both the > client and the server. That understanding is I believe wrong. Only the server needs to support EXPORT ciphers. The client just needs a vulnerable library. > Therefore my asumption is if the server side does only offer strong ciphers > I do not have to worry too much about the ability to exploit the FREAK > vulnerability e.g. in android clients. Yes, if the server disables EXPORT ciphers the clients are safe with *that* server, but will remain vulnerable with other servers. The clients do need to be patched. -- Viktor.
