F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Getting FREAK-y with BIG-IP

Since it’s been about 3 months since POODLE, we’re clearly overdue for another major vulnerability in SSL and/or TLS. Fortunately for us, the research team at SmackTLS has released details of the FRE...
Published Mar 04, 2015
Version 1.0
security
BAMcHenry's avatar
Ret. Employee
Brian McHenry leads product management for Security solutions on the BIG-IP, NGINX, and Distributed Cloud data planes. In this role, he sets strategy for the growing $750M annual business for the Advanced WAF, SSL Orchestrator, Access Policy Manager, and NGINX App Protect products. McHenry takes pride in enabling F5’s customers to be successful as well as in improving their security postures to make the Internet a safer place. McHenry works across multiple groups at F5, including the Strategy Office, Office of the CTO, Marketing, Services, Support, and Sales. He is also a published writer and a frequent speaker at infosec conferences and events. He is a co-founder of Security B-Sides NYC, and committed to giving back to the Infosec community.
View Profile
MegaZone's avatar
MegaZone
Icon for SIRT rankSIRT
Mar 04, 2015
The other vulnerability, as per the SOL, is with HTTPS monitors, but: 1. Monitors are almost always exclusively used on the private network, isolated from the public. 2. If someone is in position to MITM your monitor traffic, and they go through all of the effort to do so, they'll manage to obtain decrypted - monitor traffic. It is exceedingly rare that someone would have sensitive data in their HTTPS monitors. So they have the export RSA key - but the management plane isn't normally opening connections that could be MITM'd, except for monitors. And if the servers being monitored are patched to not support export RSA ciphers, then the MITM won't work to start with. So patch those servers. There is a mitigation in the SOL (-kRSA), but the user has to decide if it is really necessary.