The Shadowserver Foundation

SSL Export Ciphers (FREAK) Scanning Project

If you are looking at this page, then more than likely, you noticed a scan coming from this server across your network and/or poking at your web server on port 443/tcp.

The scan that you saw is part of an effort by The Shadowserver Foundation to identify hosts that allow the use of SSL/TLS with RSA_EXPORT ciphers (aka "export-grade" encryption) and report them back to the network owners for remediation.. Hosts using these weakened ciphers can be used in a man-in-the-middle attack which forces a browser to use a weak export key, which is easily crackable. This is called a FREAK (Factoring RSA Export Keys) attack. More information on the FREAK attack can be found at https://www.smacktls.com/.

Servers that are configured this way have been incorporated into our reports and are being reported on a daily basis.

Methodology

We are querying all computers with routable IPv4 addresses that are not firewalled from the internet on port 443/tcp, attempting to establish an SSL connection with that host and capturing the response. We intend no harm, but if we are causing problems, please contact us at dnsscan [at] shadowserver [dot] org

If you would like to test your own device to see if it supports export ciphers, use the command: "openssl s_client -connect [IP]:443 -cipher EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5" from a linux device. Please note that this list of ciphers may be incomplete.

Whitelisting

To be removed from this set of scanning you will need to send an email to dnsscan [at] shadowserver [dot] org with the specific CIDR's that you would like to have removed. You will have to be the verifiable owner of these CIDR's and be able to prove that fact. Any address space that is whitelisted will be publicly available here: https://freakscan.shadowserver.org/exclude.html

Useful Links

Scan Status

Statistics on current run

Other Statistics


All devices with SSL Enabled

All SSL

(Click image to enlarge)

If you would like to see more regions click here

All devices that can be used in a FREAK attack

Vulnerable to FREAK

(Click image to enlarge)

If you would like to see more regions click here


All devices with SSL Enabled

All SSL

(Click image to enlarge)

All devices that can be used in a FREAK attack

Vulnerable to FREAK

(Click image to enlarge)



If you would like us to not scan your network, please let us know and we will remove your networks from the scan.

Likewise, if you have anymore questions please feel free to send us an email at: gro [tod] revfooreswodahs [ta] nacbarssnd

The Shadowserver Foundation