Another SSL/TLS Vulnerability; FREAK
It looks like our precious SSL and TLS still isn’t quite as secure as we once thought. That is, there is some old code lurking around that can be exploited to help in decrypting any traffic to HTTPS connections using TLS or SSL. This isn’t a flaw per se, but a political move.
A 1990’s US regulation regarding encryption export from the US can potentially downgrade SSL/TLS to lower encryption.
Most websites, applications and devices that use OpenSSL prior to 1.0.1k are vulnerable to the flaw. Google, Apple and a host of other devices are affected by this. It is, however, mostly a server side issue and isn’t something that can be corrected by a client side fix. Your computer will try to negotiate for the highest possible encryption key anyway.
It seems that a long time ago in a galaxy not too far away the US Government wanted to control the export of encryption protocols. As a result there was something added to applications that would default to a much lower standard of SSL and TLS encryption to allow for that export control. It would appear that that piece of code still resides within, putting quite a bit of the internet at risk.
The vulnerability is being called FREAK, or Factoring Attack on RSA_EXPORT Keys. Apparently there are two strengths of RSA keys used, the higher strength that’s either 1024 or 2046 bits in “strength” or the much weaker 512 bit key. The 512 bit key was supposed to be called upon and that key used for any connections that originate outside of the US. The 1024 or higher strength encryption keys were reserved for US based IP’s only.
A man-in-the-middle attack could conceivably intercept your connection as it’s being set up and effectively engage the lower encryption, making it far easier to decrypt. Ed Felton, a professor of computer science at Princeton University said that it doesn’t take very much to decrypt a 512 bit RSA key, not much computing power at all, in fact.
“Back in the ‘90s, that would have required a heavy-duty computation, but today it takes about seven hours on Amazon EC2 and costs about $100,”
This vulnerability was discovered by a Karthikeyan Bhargavan of INRIA who is French science and technology research associate. Microsoft Research also played a big part in its discovery. A technical paper describing FREAK is due to be presented at the IEEE’s Security and Privacy conference in San Jose, California, in May.
In the meantime, there is a website that lists all the affected websites. So check it out to see if anything you visit is affected.
Is this really a big issue? Likely not for the average citizen, though it’s possible that some website traffic could be specifically targeted, to include banks. But it also appears as if there is a quick response to this vulnerability as well. But don’t FREAK out, all should be well.
And as always, browse smart!