HTTPS crypto protection suffers "FREAK" flaw
March 3, 2015 8:53 PM Subscribe
Washington Post: Technology companies are scrambling to fix a major security flaw that for more than a decade left users of Apple and Google devices vulnerable to hacking when they visited millions of supposedly secure Web sites, including Whitehouse.gov, NSA.gov and FBI.gov. The flaw resulted from a former U.S. government policy that forbade the export of strong encryption and required that weaker “export-grade” products be shipped to customers in other countries, say the researchers who discovered the problem. These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year.
Arstechnica: The potential for abuse is high, since many website operators are reluctant to change the keys underpinning their HTTPS protection. As Green explained:
"You see, it turns out that generating fresh RSA keys is a bit costly. So modern web servers don't do it for every single connection. In fact, Apache mod_ssl by default will generate a single export-grade RSA key when the server starts up, and will simply re-use that key for the lifetime of that server."
What this means is that you can obtain that RSA key once, factor it, and break every session you can get your 'man in the middle' mitts on until the server goes down. And that's the ballgame.
You can test your client on the website Freakattack.com. Sites can be tested at SSLLabs, and server admins should look to disable support for export cipher suites.
More reading on the topic from Matthew Green, Ed Felten.
Arstechnica: The potential for abuse is high, since many website operators are reluctant to change the keys underpinning their HTTPS protection. As Green explained:
"You see, it turns out that generating fresh RSA keys is a bit costly. So modern web servers don't do it for every single connection. In fact, Apache mod_ssl by default will generate a single export-grade RSA key when the server starts up, and will simply re-use that key for the lifetime of that server."
What this means is that you can obtain that RSA key once, factor it, and break every session you can get your 'man in the middle' mitts on until the server goes down. And that's the ballgame.
You can test your client on the website Freakattack.com. Sites can be tested at SSLLabs, and server admins should look to disable support for export cipher suites.
More reading on the topic from Matthew Green, Ed Felten.
Remember... these same organizations wanted CLIPPER in everything. EVERYTHING.
posted by PROD_TPSL at 9:09 PM on March 3, 2015 [9 favorites]
posted by PROD_TPSL at 9:09 PM on March 3, 2015 [9 favorites]
And now for something completely different: A SSL/TLS vulnerability.
posted by wotsac at 9:17 PM on March 3, 2015 [3 favorites]
posted by wotsac at 9:17 PM on March 3, 2015 [3 favorites]
This is what happens when government mandates backdoors in cryptography. Keep that in mind the next time creeps like David Cameron or Mike Rogers start talking about the need for a "golden key".
posted by indubitable at 9:18 PM on March 3, 2015 [14 favorites]
posted by indubitable at 9:18 PM on March 3, 2015 [14 favorites]
This is only one of two TLS vulns released today by these authors. The other, from a quick read, only affects java based TLS implementations. See here.
Additionally, it looks like after BH-Asia, well have another RC4 vuln.
Finally, FREAK was fixed in OpenSSL back in January. I know the press is running with it and calling it new, but I think a lot of that is just due to the theatrics of MITM'ing nsa.gov.
posted by yeahwhatever at 9:25 PM on March 3, 2015 [3 favorites]
Additionally, it looks like after BH-Asia, well have another RC4 vuln.
Finally, FREAK was fixed in OpenSSL back in January. I know the press is running with it and calling it new, but I think a lot of that is just due to the theatrics of MITM'ing nsa.gov.
posted by yeahwhatever at 9:25 PM on March 3, 2015 [3 favorites]
PROD_TPSL: "Remember... these same organizations wanted CLIPPER in everything. EVERYTHING."
Good thing we traded that for absolutely no encryption whatsoever on pots lines.
posted by Mitheral at 9:47 PM on March 3, 2015
Good thing we traded that for absolutely no encryption whatsoever on pots lines.
posted by Mitheral at 9:47 PM on March 3, 2015
Finally, FREAK was fixed in OpenSSL back in January.
Are you saying this bug was public knowledge in January? It's pretty standard to allow vendors time to fix issues before announcing them (and yeah, people can watch open source projects to look for security fixes that aren't announced).
It's pretty important to sound a trumpet when you have to tell most of the world's web servers they *need* to update their software. I wouldn't call that theatrics. Calling out the list of offending servers is a good way to shame them into action.
I think mentioning the NSA is important, because it was they that helped weaken crypto standards in the first place. Newspaper love irony.
posted by el io at 9:49 PM on March 3, 2015 [1 favorite]
Are you saying this bug was public knowledge in January? It's pretty standard to allow vendors time to fix issues before announcing them (and yeah, people can watch open source projects to look for security fixes that aren't announced).
It's pretty important to sound a trumpet when you have to tell most of the world's web servers they *need* to update their software. I wouldn't call that theatrics. Calling out the list of offending servers is a good way to shame them into action.
I think mentioning the NSA is important, because it was they that helped weaken crypto standards in the first place. Newspaper love irony.
posted by el io at 9:49 PM on March 3, 2015 [1 favorite]
On the client side, Firefox is not vulnerable since it uses the NSS security library which will not accept "export-strength" ciphers. If you have an old Android device where the default browser doesn't receive security patches, Firefox is your best bet for an up-to-date browser. (Disclosure: I used to work on Firefox for Android.)
posted by mbrubeck at 10:01 PM on March 3, 2015 [13 favorites]
posted by mbrubeck at 10:01 PM on March 3, 2015 [13 favorites]
Are you saying this bug was public knowledge in January?
Yes. See here, specifically CVE-2015-0204:
https://www.openssl.org/news/secadv_20150108.txt
The bug was fixed in OpenSSL 1.0.1k, which was released the the 8th of January.
posted by yeahwhatever at 10:10 PM on March 3, 2015
Yes. See here, specifically CVE-2015-0204:
https://www.openssl.org/news/secadv_20150108.txt
The bug was fixed in OpenSSL 1.0.1k, which was released the the 8th of January.
posted by yeahwhatever at 10:10 PM on March 3, 2015
You'll see the OpenSSL vulnerability is rated as Low severity. I also believe the flaw in Apple TLS/SSL clients (used in IOS, Mac etc) wasn't public until today, and there is currently no patch. From the Matthew Green post linked above, the reason this is "news" is due to the following (which is covered, in a very low key way, by the very brief OpenSSL security advisory you mentioned above):
If EXPORT ciphers are known to be broken, what's the news here?
We don't usually worry about export-grade cipher suites very much, because supposedly they aren't very relevant to the modern Internet. There are three general reasons we don't think they matter anymore:
1. Most 'modern' clients (e.g., web browsers) won't offer export grade ciphersuites as part of the negotiation process. In theory this means that even if the server supports export-grade crypto, your session will use strong crypto.
2. Almost no servers, it was believed, even offer export-grade ciphersuites anymore.
3. Even if you do accidentally negotiate an export-grade RSA ciphersuite, a meaningful attack still requires the attacker to factor a 512-bit RSA key (or break a 40-bit symmetric cipher). This is doable, but it's generally considered too onerous if you have to do it for every single connection.
Among the vulnerable sites until this hit the news was one serving the facebook like button, which shows up in many secure sites.
posted by Admira at 10:47 PM on March 3, 2015 [6 favorites]
If EXPORT ciphers are known to be broken, what's the news here?
We don't usually worry about export-grade cipher suites very much, because supposedly they aren't very relevant to the modern Internet. There are three general reasons we don't think they matter anymore:
1. Most 'modern' clients (e.g., web browsers) won't offer export grade ciphersuites as part of the negotiation process. In theory this means that even if the server supports export-grade crypto, your session will use strong crypto.
2. Almost no servers, it was believed, even offer export-grade ciphersuites anymore.
3. Even if you do accidentally negotiate an export-grade RSA ciphersuite, a meaningful attack still requires the attacker to factor a 512-bit RSA key (or break a 40-bit symmetric cipher). This is doable, but it's generally considered too onerous if you have to do it for every single connection.
Among the vulnerable sites until this hit the news was one serving the facebook like button, which shows up in many secure sites.
posted by Admira at 10:47 PM on March 3, 2015 [6 favorites]
A quick test this morning on my Android phone using freakattack.com showed that Firefox & Puffin browsers aren't affected. On the other hand: Chrome, UC Browser, & CM Browser are and Dolphin is but pops up a warning. No idea about whether Opera is affected.
posted by BrotherCaine at 1:34 AM on March 4, 2015 [1 favorite]
posted by BrotherCaine at 1:34 AM on March 4, 2015 [1 favorite]
Signaling System 7 has no security or encryption mechanism at all. CLIPPER would have encumbered generations of hardware phones with a known entry point. In the early 1990's the computing power for on the fly data encryption was not in the possession of us mere mortals. Software encryption which encapsulates messages over a network that can never be trusted using open source software and verified cryptographic algorithms is the only route we have to keep communications private and secure in the world that has been built via collusion and "persuasion". CLIPPERs security would have been illusory at best, and mendacious at worst.
posted by PROD_TPSL at 2:45 AM on March 4, 2015 [1 favorite]
posted by PROD_TPSL at 2:45 AM on March 4, 2015 [1 favorite]
Chrome OS version 40.0.2214.115 gets "Good News! Your browser appears to be safe from the FREAK Attack!"
posted by jim in austin at 5:52 AM on March 4, 2015 [2 favorites]
posted by jim in austin at 5:52 AM on March 4, 2015 [2 favorites]
So iPhone users are screwed then? Last time I checked every browser app on iOS is just a wrapper of Apple-flavored WebKit so if they don't fix it there's not much you can do.
posted by Doleful Creature at 6:17 AM on March 4, 2015
posted by Doleful Creature at 6:17 AM on March 4, 2015
So iPhone users are screwed then? Last time I checked every browser app on iOS is just a wrapper of Apple-flavored WebKit so if they don't fix it there's not much you can do.
When they fix it, all 3rd-party browsers will be fixed as well.
posted by i_have_a_computer at 7:14 AM on March 4, 2015
When they fix it, all 3rd-party browsers will be fixed as well.
posted by i_have_a_computer at 7:14 AM on March 4, 2015
My big takeaway from this is that legacy code is a poisoned gift that keeps on giving. If you asked any nerd with just a hint of security expertise they'd say "oh yeah 512 bit keys are useless; good thing no one uses those any more!". Well surprise, we still use them! /facepalm
SSL is so terribly brittle in so many ways. I'd like to think all the weaknesses found in it recently are good things, the result of more people attacking it. But, well, it's the only meaningful network encryption and authentication we have for the Web and it keeps being found to be lacking.
I sure wish IPSEC had succeeded.
posted by Nelson at 8:37 AM on March 4, 2015 [2 favorites]
SSL is so terribly brittle in so many ways. I'd like to think all the weaknesses found in it recently are good things, the result of more people attacking it. But, well, it's the only meaningful network encryption and authentication we have for the Web and it keeps being found to be lacking.
I sure wish IPSEC had succeeded.
posted by Nelson at 8:37 AM on March 4, 2015 [2 favorites]
yeahwhatever: The other, from a quick read, only affects java based TLS implementations.To be fair, what doesn't affect java? AFAICT, java can be broken by... Oops, waitaminnit. Gotta update java.
posted by IAmBroom at 9:32 AM on March 4, 2015
Encryption backdoors will always turn around and bite you in the ass.
posted by ChurchHatesTucker at 11:47 AM on March 4, 2015
posted by ChurchHatesTucker at 11:47 AM on March 4, 2015
« Older When Is a Robin Not a Robin? When It's a Thrush. | Save the Honeybee, Sterilize the Earth Newer »
This thread has been archived and is closed to new comments
posted by Greg_Ace at 8:58 PM on March 3, 2015 [1 favorite]