Test TLS de vos navigateurs (en fonction du user-agent)
Firefox about:config
security.ssl3.dhe_rsa_aes_128_sha = false
security.ssl3.dhe_rsa_aes_256_sha = false
OpenSSL last vulnerabilities
The most anticipated OpenSSL announcement finally reveal no less than 14 vulnerabilities, with 2 of them classified as high severity. But even if this is not an Heartbleed 2, you would be foolish to not patch you servers.
First, FREAK (CVE-2015-0204) has been reclassified to high because EXPORT_RSA seems to be much more common that previously thought, leading the OpenSSL developpers to escalate it from low to high.
The second high vulnerability (CVE-2015-0291, "ClientHello") only concern the last OpenSSL version (1.0.2), and can lead to a DoS against your server. You can read the full report on the OpenSSL website.
https://www.openssl.org/news/secadv_20150319.txt
https://ma.ttias.be/openssl-cve-2015-0291-cve-2015-0286/
On Tuesday, March 3, 2015, researchers disclosed a new SSL/TLS vulnerability — the FREAK attack. The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography, which can then be decrypted or altered. There are several posts that discuss the attack in detail: Matt Green, The Washington Post, and Ed Felten.
A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204. Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.
This site focuses on tracking the impact of the attack. See below for:
RSA Export Suite Statistics
Popular Sites that Allow RSA Export Suites
Client Test
Sysadmin Guide
https://www.openssl.org/news/secadv_20150108.txt
http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html
http://arstechnica.com/security/2015/03/freak-flaw-in-android-and-apple-devices-cripples-https-crypto-protection/
http://www.zdnet.com/article/freak-another-day-another-serious-ssl-security-hole/