In what is becoming a depressingly regular occurrence, OpenSSL and other SSL / TLS implementations developers have been caught on the back foot by security researchers. A vulnerability, which bears some similarities to last year’s POODLE vulnerability has been discovered. It appears that the vulnerability may affect almost 37% of browser-trusted sites.
Back in the 90s, the US government wasn’t too keen on the idea of shipping high-grade crypto to potential rivals, and so it put strict export controls on cryptographic technologies. US companies were limited to exporting 512-bit export grade encryption. In the 90s, that was more than strong enough to beat the resources of the average cybercriminal, but, these days, $100 and an AWS account will do nicely.
The export grade encryption is known to be weak, and most browsers won’t allow a server to negotiate an SSL / TLS encryption that uses it. However, a bug in some SSL implementations will allow a man-in-the-middle attacker to negotiate the use of weaker export grade encryption.
It works like this: the browser — knowing that export grade encryption is about as useful as a chocolate fireguard — will request the secure standard ciphersuite. The man-in-the-middle changes that request to ask for the export ciphersuite, which a surprising number of web servers still offer. The server responds with the insecure 512-bit key, which due to the vulnerability, the browser accepts, even though it asked for something else. With a bit of trouble, this allows the attacker to discover the RSA decryption key, and, eventually, the TLS master secret that is used to generate the symmetric keys used for the rest of the “secure” connection. Thereafter, the MITM has access to the plain text of the communication.
Unfortunately, because generating RSA keys is processor intensive, many web servers use the same one across connections, meaning that if the attacker can exploit the vulnerability from one session, they have the keys to the kingdom.
A significant number of sites were (at the time of writing), vulnerable to the Freak attack, including the sites of American Express, Business Insider, tinyurl.com, and a whole bunch of CDN providers, as well Facebook Connect, which provides the Facebook “Like” buttons you see everywhere.
The similarity to POODLE lies in this attack’s reliance on old technology that should no longer be supported by web servers and browsers. With POODLE, the attackers could trick browsers into downgrading to old insecure ciphersuites. If there’s a lesson to be learned, it’s that “if it’s not secure, take it out,” because even if old code is never expected to be used, or is thought impossible to use, we shouldn’t discount the ingenuity of hackers.
The immediate solution is to disable support for legacy export cryptography. Google claims it has fixed the vulnerability in its services. Apple is working on a patch which should be released soon — a quick test on my own machine showed Chrome to be protected and Safari to be vulnerable at the time of writing (latest Safari and most recent Chrome beta). SSL / TLS implementation vendors have already patched their software. If you’re curious about the vulnerability or otherwise of your browser, this site includes a test.