New Attack on SSL - Make sure your client is not vulnerable!

[Cryddit]

It turns out that Apple's SSL implementation, as well as OpenSSL, and it's not clear yet how many other SSL implementations, no longer *offer* export-mode encryption in protocol negotiation, but still *enable and use* export-mode cryptography if it's specifically requested.  

That means that if some peer specifically requests something stupid like RSA-512 or DES-40,  the encryption will be downgraded to that standard.  

This has led to the FREAK attack, in which a man-in-the-middle injects a specific request for a stupid cipher into the (cleartext) protocol negotiation and then can listen in on the stupid-encrypted connection.  

details: https://freakattack.com/

[1715653244]

1715653244

[1715653244]

1715653244

[Cryddit]

Oh wait.  I realize I used jargon above.

"export mode" encryption refers to the kind of crypto US companies were allowed to export to other countries for a couple of decades before the restriction was lifted more than 15 years ago now (Gods I feel old).

It allows symmetric ciphers with keys no more than 40-bits long and asymmetric ciphers with equivalent resistance (ie, no significant resistance for today's machines) to brute-force attacks.
 

[jertsy]

Microsoft says all versions of internet explorer are vulnerable. I checked my version of Chrome and it's not vulnerable according to https://freakattack.com/.

https://technet.microsoft.com/en-us/library/security/3046015

[Cryddit]

I researched this and wrote about it today:  This is from the 'cybernetic entomology' series from my own blog

at http://dillingers.com/blog ---

At the time it was discovered, this bug affected 37% of all HTTPS servers. The Apache web server using all but the very latest version of OpenSSL was the primary vulnerable server. At that time Apache was serving 58% of all web servers on the Internet, and more than half of these were vulnerable because they had not been updated with the most recent patch of OpenSSL.

Apache mod_ssl, in particular, made this even worse. Because it is computationally expensive to generate RSA keys, mod_ssl, by default, generates a single export-grade RSA key when the server starts up and then re-uses it for all the sessions served until the server shuts down. So an attacker obtaining a 512-bit RSA key could take the few hours to factor it, and the server that used that key would still be up — enabling the attacker to read and modify further traffic on the fly until it reboots.

The uptime for Apache servers running on stable operating systems can reach weeks or months. Essentially, they get started once after a kernel upgrade forces a reboot, and do not shut down until rebooting the machine for the next kernel upgrade or a hardware failure. So, having gotten the key once, an attacker could read and modify the traffic on that server for weeks.

The websites whitehouse.gov, nsa.gov, and fbi.gov (including the FBI anonymous tips website) were all among the sites whose servers were vulnerable, meaning that the buggy security decisions of decades before had resulted in a bug that reduced the security of the very same organizations that had made the decisions. Which goes to show that if you don’t get good decisions, at least you eventually get irony.

Web browsers afflicted included Internet Explorer on Windows, Chrome on MacOS and Android, Safari on MacOS and iOS, Opera on MacOS and Linux, as well as the stock browsers provided with Blackberry and Android devices. FREAK was short-lived after its public announcement, because the web servers afflicted could fix it by downloading a new version of OpenSSL already available, and security patches for the browsers started coming out just a few hours after the attack was announced.