FREAK attack on TLS/SSL Flaw Affects Popular Domains and Browsers

News of a bug that affects Transport Layer Security/ Secure Sockets Layer (TLS/SSL), an authentication protocol used by countless sites and browsers, including roughly 10% of top domains as well as Android and Safari web browsers, points to roots way back in the 90s.

In a statement released Tuesday, university and industry researchers established how the SSL/TLS flaw—one with a moderate severity score and recognized as CVE-2015-0204—can be attacked. Proving that this bug is real and exploitable, they set out to perform the FREAK attack, which stands for Factoring RSA Export Keys.

As it turned out, man-in-the-middle attacks can force secure encrypted sites to instead use a flawed one—the ‘export-grade’ cryptography enforced in the 1990s, unusable today but still found in various websites—that attackers can easily decrypt to snoop into secure communications.

[Read: FREAK Vulnerability Forces Weaker Encryption]

“Back in the early 1990s, it was illegal to export most products from the U.S. if they had strong cryptography. To be exportable, a system had to use small keys that could be defeated by a brute-force search over the (reduced) key space. Because of this, the secure web protocol, SSL, was designed to allow either party to a communication to ask to use a special export mode,” writes Edward W. Felten, Professor of Computer Science and Public Affairs at the Princeton University in a blog post.

In an incident reminiscent of social media throwback posts, we now see how a past security issue can make its way to the present and still affect Internet users. Users who can be affected if they fulfill the following criteria:

  • Internet users with a vulnerable client (Android browsers, OpenSSL versions, Chrome versions before 41, Safari, and others still pending) that connects to sites that allow export suites.
  • Web administrators for one or more of the HTTPS sites that allow export suites, which includes AmericanExpress.com, Bloomberg.com, NSA.gov, FBI.gov,

[Read: Complete list of popular sites that support RSA export suites]

Export-Grade Ciphers, the Server’s Appendix

For both Internet users and web administrators, the glaring solution is to wait for patches and update accordingly. Android or iOS systems need to be patched to fix the related libraries.

In the case of server administrators, the only reason they would be wary of patching is if their servers only support these ‘export-grade’ ciphers, the probability of which is small. As such, these weaker ciphers basically represent appendages that the server no longer needs—an appendix of minimal use. Similarly, they need to be removed or patched so as to not incur any more damage.

Researchers recommend that administrators disable support for any export suites and all known insecure ciphers and enable forward secrecy. Administrators can also check if their site is vulnerable by using the SSL Labs’ SSL Server Test. Additionally, a data security solution and a firewall system can also be used to resolve this vulnerability.
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.