Web Security Haunted by Freak Vulnerability
Source: Shirley Siluk
A "zombie" vulnerability left over from decades-old U.S. security policies on encryption could leave a huge number of Web sites open to "man-in-the-middle" attacks when viewed with OpenSSL browsers like Android or with Apple Safari, a team of researchers has found. The so-called FREAK attack arises when certain browsers attempt to establish a connection with Web servers, enabling acceptance of less-than-secure encryption keys.
FREAK, which stands for "Factoring RSA Export Keys," was discovered by cryptographers with the French research establishment INRIA, Spain's IMDEA research institute and Microsoft Research. They found that Safari's SecureTransport and Google's OpenSSL clients could be "tricked" into accepting a less-secure encryption key from a Web server because of a flaw left over from 1990s-era U.S. government export controls on encryption technologies.
Those controls required encryption systems exported from the U.S. to have weaker standards than those sold in the U.S. While today's requirements are no longer so stringent, those export-grade security connections may still be enabled for many Web sites.
FREAK Enabled on NSA, FBI Web Sites
We contacted the research team to learn more about how they discovered the FREAK vulnerability.
"We were analysing various SSL/TLS clients (e.g. browsers) and servers (Web sites) as part of a research project and we found a number of unexpected behaviors (see www.smacktls.com)," INRIA researcher Karthikeyan Bhargavan said via email. "Some of these behaviors resulted in attacks, such as FREAK."
FREAK works by messing with the standard encryption requirements for establishing Internet connections. The SSL protocol created by Netscape in the 1990s -- and the TSL protocol that replaced it -- requires an RSA encryption key to connect a client browser with a Web server. FREAK, however, enables the client to accept a less-secure, export-grade 512-bit RSA key rather than a standard RSA key.
"Support for these weak algorithms has remained in many implementations such as OpenSSL, even though they are typically disabled by default; however, we discovered that several implementations incorrectly allow the message sequence of export ciphersuites to be used even if a non-export ciphersuite was negotiated," the research team wrote. "Thus, if a server is willing to negotiate an export ciphersuite, a man-in-the-middle may trick a browser (which normally doesn't allow it) to use a weak export key....
"Ironically, many U.S. government agencies (including the NSA and FBI), as well as a number of popular Web sites (IBM, or Symantec) enable export ciphersuites on their server -- by factoring their 512-bit RSA modulus, we can impersonate them to vulnerable clients."
Thousands of Web Sites Affected
The FREAK Attack Web site lists numerous sites the researchers have found supporting RSA export-grade cipher suites. They included 9.7 percent (the figure was previously 12.2 percent) of the top million domains on Alexa and 36.7 percent of browser-trusted sites.
While no man-in-the-middle attacks have been observed due to the FREAK vulnerability, the research team is advising Web server operators to disable support for any export suites and to enable forward secrecy.
Akamai, whose content delivery networks serve many sites found to have the vulnerability, said in a blog post Monday that it had rolled out a fix on its Secure Network and was working with clients to make the changes needed to secure their sites.
The company had been contacted by the research team last week, an Akamai spokesperson said.
"We have not seen any evidence of attack," the spokesperson told us. "We do a great deal of monitoring of the traffic on our network, and the daily reports have not shown any increase in the use of export ciphers."
The discovery of the vulnerability, though, adds a new dimension to the already-contentious dialog between tech companies who are promoting stronger encryption standards and security agencies like the FBI and NSA that say they need to have built-in, "backdoor" access to networking and communications systems.
"Backdoors in cryptography are generally a bad idea, because a door you leave open for yourself may also one day be used by others," Bhargavan said. "To me that is the lesson from this attack."
| }
|