Researchers have released details of a vulnerability (CVE-2015-0204) that makes it possible for hackers to crack HTTPS-protected traffic by forcing vulnerable clients to downgrade to weaker crypto.
The vulnerability has been dubbed ‘FREAK’ for Factoring RSA Export Keys. It was discovered by a group of researchers from Microsoft Research and the French Institute for Research in Computer Science and Automation, who found it was possible to make web browsers use encryption intentionally weakened in order to comply with U.S. government regulations in effect during the 1990s that banned American companies from exporting strong encryption abroad.
“Support for these weak algorithms has remained in many implementations such as OpenSSL, even though they are typically disabled by default; however, we discovered that several implementations incorrectly allow the message sequence of export ciphersuites to be used even if a non-export ciphersuite was negotiated,” the researchers wrote. “Thus, if a server is willing to negotiate an export ciphersuite, a man-in-the-middle may trick a browser (which normally doesn’t allow it) to use a weak export key. By design, export RSA moduli must be less than 512 bits long; hence, they can be factored in less than 12 hours for $50 on Amazon EC2.”
“If you run a web server, you should disable support for any export suites,” the site advises. “However, instead of simply excluding RSA export cipher suites, we encourage administrators to disable support for all known insecure ciphers (e.g., there are export cipher suites protocols beyond RSA) and enable forward secrecy. Mozilla has published a guide and SSL Configuration Generator, which will generate known good configurations for common servers. You can check whether your site using the SSL Labs’ SSL Server Test.”
According to Reuters, Apple is preparing an update to address the issue that will be released next week.
A Google spokesperson told SecurityWeek that the company encourages all websites to disable support for export certificates, and that Android’s connections to most websites – including Google sites and others without export certificates – are not subject to this vulnerability. The spokesperson also said that Google has already developed a patch and provided it to its partners.
“This is a very interesting problem that shows how we mustn’t be complacent about these older technologies, even though we think they are not going to be used,” said Ivan Ristic, Qualys’ director of application security research. “This attack seems fairly easy, conceptually – they [the researchers] cite ‘about 7.5 hours for $104 in EC2 time’ to break a key. Then they need to find a vulnerable client.”
“In practice, I don’t think this is a terribly big issue, but only because you have to have many ducks in a row,” he said. “That is: 1) find a vulnerable server that offers export cipher suites; 2) it should reuse a key for a longish time; 3) break key; 4) find vulnerable client; 5) attack via MITM (easy to do on a local network or wifi; not so easy otherwise). There’s a good lesson here, and that’s don’t enable technologies that you don’t want to see used, even if you don’t really think they will be used.”
“I would not freak out too much as must vendors are quickly patching this bug,” added Greg Martin, CTO of ThreatStream. “With that said, it’s yet another reminder that there are still many serious bugs in core software, like Shellshock and now FREAK which are still dormant in many of the key software components powering the Internet. Vendors have a responsibility to proactively test not just their own code but third party code and open source components for such vulnerabilities to protect their users.”
*Update: The list on Freakattack.com has been updated.