A flaw in OpenSSL and Apple’s Secure Transport implementation of SSL and TLS protocols is putting millions of Android and Apple device users as well as visitors of secured sites in danger of having their encrypted connections decrypted, and the information exchanged with the servers behind them intercepted.
Dubbed FREAK (Factoring RSA Export Keys), the flaw was discovered by a group of researchers from INRIA Paris-Rocquencourt, Microsoft Research, and IMDEA Software, while testing popular open source TLS implementations for state machine bugs.
“This attack targets a class of deliberately weak export cipher suites. As the name implies, this class of algorithms have been introduced under the pressure of US governments agencies to ensure that the NSA would be able to decrypt all foreign encrypted communication, while stronger algorithms were be banned from export (as they were classified as weapons of war),” they explained.
“Support for these weak algorithms has remained in many implementations such as OpenSSL, even though they are typically disabled by default; however, we discovered that several implementations incorrectly allow the message sequence of export ciphersuites to be used even if a non-export ciphersuite was negotiated. Thus, if a server is willing to negotiate an export ciphersuite, a man-in-the-middle may trick a browser (which normally doesn’t allow it) to use a weak export key. By design, export RSA moduli must be less than 512 bits long; hence, they can be factored in less than 12 hours for $50 on Amazon EC2.”
The flaw has been patched in OpenSSL in January, but Apple is yet to patch SecureTransport for OS X and iOS – they have announced they will roll it out next week).
A patch for Google’s Android browser has already been provided by Google to device makers and mobile carriers, so it will depend on them how soon it will be pushed out to users. Past experience tells us this could take quite a while.
This flaw doesn’t affect only client software, but servers as well.
“Ironically, many US government agencies (including the NSA and FBI), as well as a number of popular websites (IBM, or Symantec) enable export ciphersuites on their server – by factoring ther 512-bit RSA modulus, we can impersonate them to vulnerable clients,” the researchers shared.
Test whether your client is vulnerable to this flaw by visiting this site, and if it is, consider using another, non-vulnerable one until the problem is fixed. Safari for OS X is vulnerable, but Firefox is not, and Google is in the process of delivering a fixed version of Chrome. Android users should stop using the Android Browser and switch to Firefox or Chrome.
Hopefully web server administrators around the world will move with haste to disable support for any export suites.
More details about the flaw and the attack can be found on Matt Green’s blog, who pointed out that this situation is why cryptographic backdoors are always a bad idea.
“Users who need to be extra cautious here are ones who, by design, have a entity in the middle of their traffic. For example, some nation states control Internet gateways in and out of their nation and because of this topological placement are in an optimal place to exploit everyday users. Hopefully this will not last long and clients and servers will be patched and are kept from negotiating to this weak cipher,” commented TK Keanini, Lancope CTO.
“While it is not trivial to exploit, the most advanced threat actors do have the capabilities to exploit this vulnerability. Never underestimate the advanced threat actor. It is best to bias toward the worse case and proceed with caution.”
“Clients and servers must be configured to NOT allow the negotiation to this particular setting. It will require several conditions to be met, so it is not as severe as Heartbleed which could be readily exploited,” he added.
“While this is a technical flaw driven by politics, it ultimately is a problem that compromises the technological goals. Cryptography has always been highly controversial and will remain this way as long as there are people who want to monitor private conversations. Even if we set politics aside, we should all treat cryptographic systems as a delay of disclosure and not ultimate privacy. As computing power increases, we must continue to retire older cryptographic methods and make way for new and stronger ones. The trick is to ensure that systems are not allowed to negotiate to the older and weaker techniques.”