Slashdot Mirror
FREAK Attack Threatens SSL Clients
msm1267 writes: For the nth time in the last couple of years, security experts are warning about a new Internet-scale vulnerability, this time in some popular SSL clients. The flaw allows an attacker to force clients to downgrade to weakened ciphers and break their supposedly encrypted communications through a man-in-the-middle attack. Researchers recently discovered that some SSL clients, including OpenSSL, will accept weak RSA keys–known as export-grade keys–without asking for those keys. Export-grade refers to 512-bit RSA keys, the key strength that was approved by the United States government for export overseas. This was an artifact from decades ago and it was thought that most servers and clients had long ago abandoned such weak ciphers. The vulnerability affects a variety of clients, most notably Apple's Safari browser.
I know you can configure some options for PGP to block the use of insecure ciphers, but is there any way to configure a Linux/Debian box so that it refuses to accept insecure ciphers by default? Not just for the browser, but globally for all SSL connections.
I do not fail; I succeed at finding out what does not work.
Factoring Attack on RSA-EXPORT Keys
Why do people go to the trouble of making an acronym if they're going to screw it up anyway?
How can I believe you when you tell me what I don't want to hear?
Oh, there's a full-on MITM attack going on to facilitate this in the first place. Gotcha.
Build a custom kernel that doesn't support those ciphers?
Never been too much concerned about this until lately with the SuperFish thing with Lenovo. Another way to circumvent security. Not a fan much of Safari and if you look at the stats it appears not a lot of Apple fans even enjoy Safari all that much. I recently started trying out the new Safari in Yosemite which actually has some good performance and has added a couple nice features. Since Safari is using WebKit engine I wonder if Chrome is affected by this SSL issue? I know Google had talked about shoring up SSL versions and eliminating the weak ones.
Computer technology is untrustworthy anyway, chock full of back doors by anybody who is involved in making the hardware, the software and the services. Nobody wants "their" things to be used by someone they don't agree with unless they can betray them as they see fit. Security is theater, a trick to make you entrust your secrets and your belongings to a machine that is built and programmed to serve a different master.
This might be academic if it was just a history lesson — but for the past several months, U.S. and European politicians have been publicly mooting the notion of a new set of cryptographic backdoors in systems we use today. This would involve deliberately weakening technology so that governments can intercept and read our conversations. While officials are carefully avoiding the term “back door” — or any suggestion of weakening our encryption systes — this is wishful thinking.
Just because the NSA is trying to weaken encryption standards, why do you have to pile on too!
-- Tigger warning: This post may contain tiggers! --
I tried the test on up-to-date Firefox (36.0) and it's immune, but Chrome on Android (40.0.2214.109) is vulnerable.
Oh, no! You have walked into the slavering fangs of a lurking grue!
You could implement your own version of the SSL libraries that don't implement "weak" encryption protocols. When confronted by a client/server session that tried to default to the vulnerable mode, the client would get a "no failover" error message. The homebrew version would be no help in "forcing" a secure SSL session, and the browser/server would not be standards "compliant". Oh well. Oh, it would have to be a browser with available source code; hello firefox, goodbye safari.
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
âoeIn practice, I donâ(TM)t think this is a terribly big issue, but only because you have to have many âoeducks in a rowâ: 1) find a vulnerable server that offers export cipher suites; 2) it should reuse a key for a long time; 3) break key; 4) find vulnerable client; 5) attack via MITM (easy to do on a local network or wifi; not so easy otherwise),â said Ivan Ristic of Qualys.
(Unless you're the NSA, then you have more MITM "opportunities" than you have people to exploit them...automation coming soon...)
Yes. http://www.openssl.org/docs/apps/ciphers.html
The question is does OpenSSL accept the weak ciphers as a downgrade bug even when EXPLICITLY DISALLOWD.
I haven't seen answered in any of the linked articles so am digging/testing.
After the last couple of bugs my organization set the explicit cipher/algorithm/has acceptable list. The export ciphers were excluded on purpose from our list.
SSL Labs https://www.ssllabs.com/ has a recommended list buried in their documentation somewhere.
Learning HOW to think is more important than learning WHAT to think.
"The so-called FREAK attack - short for Factoring attack on RSA-EXPORT Keys - is possible when an end user with a vulnerable device - currently known to include Android smartphones, iPhones, and Macs running Apple's OS X operating system - connects to an HTTPS-protected website configured to use a weak cipher that many had presumed had been retired. At the time this post was being prepared, Windows devices were not believed to be affected, and the status of Linux devices was unknown"
Answering myself to preserve the thread.
It looks like the export cipher suite must be enabled for this to work. So if you didn't turn off old, busted ciphers then you're potentially vulnerable.
Meh. Set your approved cipher suite and be done with it.
Learning HOW to think is more important than learning WHAT to think.
So would clients built using the SSL libraries from the (stripped-down, un-borked) version of SSL that the OpenBSD team recently did - LibreSSL - vulnerable as well?
With Google Chrome you might be able to cover them all with a command line switch like this:
--cipher-suite-blacklist=0x0003,0x006,0x0008,0x000b,0x000e,0x0011,0x0014,0x0017,0x0019,0x0026,0x0027,0x0027,0x0028,0x0029,0x002a,0x002b
REF:
1. http://peter.sh/experiments/chromium-command-line-switches/#cipher-suite-blacklist
2. http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
Ciphersuite Negotiation is a liability. A good security protocol will not have it. It is empirically impossible to get right.
Pick one set of algorithms, good enough for the lifetime of the device or system and any changes are done by replacing the single static suite on both ends, say once per decade. Make the whole thing so utterly simple to implement that it would be hard to get wrong.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Fun thing is that Chrome (40.0.2214.115) is vulnerable, Chromium (38.0.2125.122) is not. At least on OSX.
What is sad is that OpenSSL disabled the EXPORT1024 ciphersuites in 2006. If you don't know what these are, in year 1999 the US government raised the limit to 56-bit encryption and 1024-bit RSA. They were described in https://tools.ietf.org/html/dr... . And for the record it was in year 2000 that the restrictions was removed for "retail" software.
Why did they stop at one nested acronym? Why not shorten it even further to "F - short for the so-called FREAK attack - short for Factoring attack on RSA-EXPORT Keys", and while we're at it shorten "Android smartphones, iPhones, and Macs running Apple's OSX operating system" to "A's"?
I sure hope there are patches coming soon; wouldn't want anyone to inadvertently get F'd in the A's!
Because clients are run by idiots. Sorry, but it's true.
Clients are run by people who look at the funny acronyms and you can watch their eyes glaze over. If they know anything about it, they will know that there are keys and these keys depend on how big the number next to them is. That there are symmetric and asymmetric keys and that 512bit can be a LOT if it's symmetric and insignificantly little if it's asymmetric is already something you won't be able to teach them.
So configure your servers, people. Configure them to ONLY accept sensible ciphers. Yes, that means that people with Internet Explorer 5 might not be able to use your page. Then inform them to fucking get a browser that was made in this millennium! These people are a security risk and bluntly, if you want to do business with them, you do not want to do business with me.
Or at least I don't want to do business with you!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I extensively make use of this site for cypher selection:
https://wiki.mozilla.org/Secur...
There are 3 levels of configuration proposed which you can use as a starting base for your own selection. The EXPORT cyphers are explicitely marked as 'Mandatory discards'. Any serious website running with these cyphers should be fined for exposing their visitors.
I didn't see it mentioned in the article or summary which ones are affected. All I saw is "including OpenSSL." How about an actual list of affected software? Or maybe I'm just blind and missed it, but I don't think so.
These people are a security risk and bluntly, if you want to do business with them, you do not want to do business with me.
Or at least I don't want to do business with you!
Yes, I'd want to do business with them, because they're the majority. If you don't want to do business with me because of that, then so be it. They win, you lose.
Check out the breakdown of the affected countries.
https://infogr.am/https_sites_that_support_rsa_export_suites
You could theoretically do some packet inspection on the handshake and send a spoofed RST if you see something during the exchange you don't like.
I've only ever dug into the certificate exchange portion of the handshake. I'm assuming the cipher negotiation is also in the clear.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
I'm AC so I can't mod your comment +5 Funny but I thought that was pretty good.
Then you're part of the problem.
If vendors didn't pander to people running IE 5 then they would sack the fuck up and call their nephew to spend 5 minutes installing Teamviewer and Google Chrome.
People who refuse to run modern shit on their hardware may be the majority, but only because assholes are willing to bend over backwards selling them "lazy" as a commodity.
The SSL implementation is NOT part of the kernel.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Just configuring openssl is not enough. Theres at least THREE different SSL libraries in common use on linux and the chances are you have applications using all of them.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Says the AC who is too Chicken to post under his name. Seems that its people like him that are the real problem. Just sayin
I was thinking server side, for the web server. But yes, you need to ensure every service you provide that uses TLS is properly configured.
I'm not sure how much this would impact something like SMTP-S or IMAPS, since the connection duration on those types of service is so short.
The big target is going to be web servers.
Learning HOW to think is more important than learning WHAT to think.
Internet Explorer 5 has not had a sizeable market share since 2002.
Then you're part of the problem.
If vendors didn't pander to people running IE 5 then they would sack the fuck up and call their nephew to spend 5 minutes installing Teamviewer and Google Chrome.
People who refuse to run modern shit on their hardware may be the majority, but only because assholes are willing to bend over backwards selling them "lazy" as a commodity.
Not sure what the GP is going on about.
In my observations, retiring Windows XP drastically reduced the number of issues from "my stuff doesn't work, it's new, I bought it 10 years ago, why not?" complaints.
There was a small cadre of folks re-installing XP on new machines (I did it too) because there wasn't a reason not to. After Nosebleed and Hearbeep (or whatever) happened last year I shut off old ciphers on all my stuff. And know what? NOBODY NOTICED. I get an occasional hit from China or other shitholes I don't care about trying it, and they often come along with other probes so it's not real traffic.
So the point is, GP isn't correct when he's talking about his "majority," there is no such group. They're gone. The idea that there is a technically adept person running old shit because it still works, who also doesn't know it's risky, and also can't afford to upgrade to new shit is a Venn diagram with three unconnected circles on it.
Go ahead and run what you want as a hobby if you get fulfillment from it. If your hobby puts you at risk, or can't be used somewhere, tough shit.
It's a downgrade attack that uses ancient old ciphers. Can we assume that any site that is vulnerable to FREAK is also vulnerable to other downgrade attacks and generally is likely to use old and insecure ciphers?
I mean if you score an A on ssllabs tests which already penalise you for weak ciphers it shouldn't be an issue right?
It appears Theo de Raadt and crew have done it again -- proven their security audits and staunch view towards security does, indeed, work. Makes me glad to be an OpenBSD fan.
I played the videos at the smacktls website, got no audio, so I don't know that there was audio, but I didn't get any audio.
It seems that both tests on Safari that they presented, while not blocked by Safari - the user got warnings telling them there was a problem (potential fake website, https didn't show green, etc. - and XSS attacks). Seems that, unless there was further explanation that they installed some plugin/extension in Safari, that it is not completely broken. The warnings should keep users from continuing and just quit their browser at that point (ok, not the ID10T users, but...). So, unless further explanation was given over audio - it doesn't appear that Safari is completely toast.
And that does bring up the question - should their be "training wheels" on the browser - NEVER allowing you to continue despite repeated warnings (one of the tests they showed came up with multiple warnings about XSS attacks on the page/login)? And if that's so, how do I remote into a Windows TS (ok, not a browser, but..). It seems the majority of Windows network admins don't know how to properly configure certificates (or simply don't or can't buy them), so they wind up either not signing or self-signing them, thus, anytime you access those systems, you get warnings about going into that particular Terminal Server. So, you either ignore it and do your job, or you don't and don't get work done.
Sigh.
So, as I understand it, the current situation is:
- We can't allow use of RC4 because it's weakened significantly.
- If we disallow RC4, we open ourselves up to BEAST in practical terms.
- We need to move towards PFS and TLS 1.2 but the major libraries don't support it in major stable versions and/or we break an awful lot of the world's clients in doing so.
- A lot of the chain certificates out there are still using only SHA1 which makes them weak.
- And now we have to start worrying about clients that allow downgrade attacks on the connection.
- We can't use OpenSSL at the moment because all the interesting new features (TLS 1.2, etc.) are only in Beta.
- We can't use LibreSSL at the moment because it isn't available in many mainstream distros.
Seems to me like we really need a massive revamp of security here and ditching old clients entirely.
Almost every site on the Qualsys Labs tests rates B at best now because of the current situation (from which they recognise there is no practical escape even though it should probably rank them all lower): https://www.ssllabs.com/ssltes...
I think it's time we just ditched everything and provide a way for browser security to be pulled out of the browsers entirely and made independently upgradeable, so you can browse a modern TLS 1.2 site with a browser that's a few weeks old.
Users who are stuck using browsers that are incapable of applying more up-to-date ciphers are nowhere close to the majority. They're over an order of magnitude away from being the majority, in fact.
You can use this tool to check your webserver: http://www.freakattacktest.tk
"A) You look like a crazy spammer with your insane formatting, massive hyperbole, and numerous comments that seem to be frothing at the mouth. It's no wonder Palant stopped responding to you." - by Anubis IV (1279820) on Wednesday March 04, 2015 @11:42AM (#49180959)
BS: Palant HAD to run http://ask.slashdot.org/commen... since AdBlock doesn't do a FRACTION of what hosts can and for FAR LESS resources consumed... period/fact!
---
"I know that reading my single sentence is asking a lot of you, but you might be advised to read it a bit more carefully next time before you make multiple comments, each of which has dozens of lines of inapplicable text that look to have been written by a madman." - by Anubis IV (1279820) on Wednesday March 04, 2015 @11:42AM (#49180959)
Madman? At least I can REMEMBER what I said that week or not, unlike yourself... lol!
Also - What doesn't "apply" on the topic @ hand in what I wrote too, boy?? I am *NEVER* off topic on hosts (I only respond to "Almost ALL Ads Blocked" fanboys like you, trolling shill that YOU ARE, undoubtedly Mr. Palant himself, right??)
---
* NOW: I know that in the PAST you have noted hosts (I keep you as a hosts user I know of in fact - but you said you noted them there... where????)
APK
P.S.=>
"TL;DR: Read more carefully, use both, and stop posting tirades. We'll all be happier, you included." - by Anubis IV (1279820) on Wednesday March 04, 2015 @11:42AM (#49180959)
Well, UNLESS you can PROVE what I asked for from YOU above, by showing us, that you indeed noted hosts in that article or even that week? You're FULL OF IT & can "EAT YOUR WORDS", boy - I didn't see it, & looked over your post history... apk
" I use both uBlock and a custom hosts file, and I'd encourage others to do so as well" - by Anubis IV (1279820) on Thursday February 19, 2015 @01:37PM (#49089289)
See subject: Where'd you mention HOSTS specifically in that thread before that WAS MY QUESTION. I looked at your post history that week & you never did!
Answer it - after all, you DID say this too there also:
"TL;DR: Read more carefully, use both, and stop posting tirades. We'll all be happier, you included." - by Anubis IV (1279820) on Thursday February 19, 2015 @01:37PM (#49089289)
Don't give me orders, boy... @ least NOT UNTIL YOU HAVE DONE BETTER than myself, & by that? See next below also as you MAY LEARN SOMETHING that proves your statements wholly incorrect:
"since each handles various things better or differently than the other. For instance, hosts are more efficient and can prevent the ad server from ever getting my request, which addons sometimes can't do, but it can't remove the element from the page where the ad would have showed, whereas an addon can." - by Anubis IV (1279820) on Thursday February 19, 2015 @01:37PM (#49089289)
I don't NEED an addon for element blocking: Opera 12.17 does that via rightclicks on pages, & has for like, forever!
"Hosts files are also a bit more hands-on in keeping up-to-date than addons" - by Anubis IV (1279820) on Thursday February 19, 2015 @01:37PM (#49089289)
YOU had better learn to read more closely, per YOUR ORDERS YOU TOSSED MY WAY ABOVE QUOTED - hosts are a SNAP to maintain & keep up to date courtesy of "yours truly" -> http://start64.com/index.php?o...
(Now, since you're such a 'great critic' & you like to give orders? HAVE YOU DONE BETTER YOURSELF?? Hell no!)
APK
P.S.=> Bottom-Line (after you told me to read closer quoted above especially): Don't EVER tell us you noted hosts before that quote above of yours in that very thread, when you NEVER once did... apk
"Oh, is that all you were asking? The simple answer is that I didn't say I used hosts prior to my first response to you" - by Anubis IV (1279820) on Sunday March 08, 2015 @11:44PM (#49212639)
See subject: You screwed up & never said you use hosts once there (prior to your saying you did AFTER you gave me guff telling me to "read more closely")...
---
"I was pointing out that hosts itself can't do it" - by Anubis IV (1279820) on Sunday March 08, 2015 @11:44PM (#49212639)
Hosts unquestionably DO MORE THAN ANY SINGLE BROWSER ADDON OUT THERE, & for less resources consumed by FAR (vs. Almost ALL Ads Blocked).
More work? Hey - AT LEAST HOSTS DO WORK fully, unlike "almost ALL ads Blocked"...
Yes, Opera 12.17 is excellent & does click on content (like ads or images for example) & let's me selectively BLOCK portions of sites.
---
" apps like yours help to make hosts MUCH more manageable and MUCH more approachable for people who aren't used to mucking around in their computer's innards, so kudos to you for putting that together." - by Anubis IV (1279820) on Sunday March 08, 2015 @11:44PM (#49212639)
It works. Better than ANY OTHER like it in fact (being pure 64-bit & also offering speedup of websurfing via hardcoded favorite sites @ the TOP of hosts so they resolve fast,faster than remote DNS, & in doing so, also securing users vs. DNS security issues by avoiding it where they spend MOST OF THEIR TIME ONLINE too...)
APK
P.S.=> Hosts work on most every platform & porting my app? Cake. Delphi does MacOS X, iOS, Android, + yes, Windows - a Linux port's cake too: Lazarus IDE + FreePascal are an ALMOST EXACT CLONE of Delphi & would be easy too - only diff between Windows is mounted device vs. drive letters (easy) & the code for *NIX sockets vs. WinSock2 is abstracted away for it already (so sockets diff are no issue either)... apk
"Arguing that hosts is both more efficient AND more capable is like arguing that a traditional GPU is both more efficient AND more capable than a traditional CPU, even though they are intended for different purposes." - by Anubis IV (1279820) on Monday March 09, 2015 @03:55PM (#49218133)
Hosts DO more, & what they do the SAME, hosts do more efficiently.
* There's NO arguing it - it's not even an argument, due to what's in my 'p.s.' below...
(Hosts work anywhere pretty much, on ANY webbound application... adblock doesn't).
APK
P.S.=> ALL documented to what I stated here (from reputable sources & valid tests) http://ask.slashdot.org/commen... as well as a list of what hosts DO, above & beyond "Almost ALL Ads Blocked" (crippled by default since it sold out to GOOGLE), more efficiently... apk
Hosts do more than adblock for less resources per http://ask.slashdot.org/commen...
* Prove that wrong? THEN, you have a VALID point...
(Can't be done... too many almost all ads blocked fans have tried & failed here for years on that account).
APK
P.S.=> Plus, Yes - I've already DONE the research (it's in those links in fact from valid reputable enough sources) & so I simply designed the BEST TOOL THERE IS for hosts file mgt. (since there's little question of what's in the list in that link above being correct)... apk
See subject & this link + the list in it http://ask.slashdot.org/commen...
"I'm not going to argue about which of them "does more". I don't know how you'd objectively quantify that, nor do I see why that matters at all, nor do I have any interest in arguing it with anyone." - by Anubis IV (1279820) on Wednesday March 11, 2015 @03:12PM (#49236003)
You can't argue in favor of "Almost ALL Ads Blocked" vs. that list of things hosts do, for less, that adblock can't.
"Yes, you have a list of a lot of things that hosts can do. " - by Anubis IV (1279820) on Wednesday March 11, 2015 @03:12PM (#49236003)
It's SO nice NOBODY can prove it wrong... TRUTH is like that.
"I'm sure someone else has a nice list of everything that ad-blocking addons can do." - by Anubis IV (1279820) on Wednesday March 11, 2015 @03:12PM (#49236003)
Where is it then? I'll tear it in 1/2 vs. hosts too... or, as I did with specific content blocking, how Opera (or other browsers) can do that MINUS "Almost ALL Ads Blocked" as I did earlier in this exchange.
"And I'm equally sure that we can pad both lists by splitting up items and rewording them a bit. Seeing which list has more items in it is a pointless and subjective exercise, since I'm only interested in using a subset of those features anyway, and don't care in the least which of them "does more"." - by Anubis IV (1279820) on Wednesday March 11, 2015 @03:12PM (#49236003)
Go for it - I'll rip it, and you, in 1/2 - easily.
APK
P.S.=> How you could be SO obstinant & run from facts I put out, I will NEVER know, or understand... apk
See subject: You couldn't even remember NOT noting hosts in our exchange originally!
* Hosts work on ANY browser (or app) on a PC operating system - not just "some" as you said...
APK
P.S.=> In the end, you're NOT denying hosts are more efficient & do more than "Almost ALL Ads Blocked" by FAR, + for less resources consumed - that's ALL I really needed to see or hear... apk
"a modified hosts file when I'm at home in Safari on my Mac, I haven't seen an ad in months, let alone one following me around." - by Anubis IV (1279820) on Thursday December 06, @06:28PM (#42210239)
See subject & that quote of yours (you omitted noting that as I said you did) - so again, I just HAD to put YOUR WORDS in YOUR MOUTH, this round, to clarify that YES you use hosts files (& yes, you omitted stating that in our original "debate" where YOU RESORTED TO CALLING ME 'crazy' etc. (which is a sign of losing a valid debate on YOUR part...)).
APK
P.S.=> I've seen all I needed to from you & have it quoted for future reference IF it's ever needed again in my favorites/bookmarks... it's all I wanted anyways (with name tossers like yourself) so you can "eat your words" IF you EVER try it again... apk
"A) You look like a crazy spammer with your insane formatting, massive hyperbole, and numerous comments that seem to be frothing at the mouth" - by Anubis IV (1279820) on Wednesday March 04, 2015 @11:42AM (#49180959)
What's that you said now vs. YOU tossing names @ me?
APK
P.S.=> You're unbelievable... apk
Then you've made a valid point vs. tossing names my way vs. http://ask.slashdot.org/commen...
* I've been VERY successful in HOW I do things in the past - hence WHY I don't have to be somebody's "wageslave" anymore & run my own successful business for a decade++ now in fact - can YOU say the same?
(So, don't *TRY* to tell me "how it's done", until YOU HAVE DONE BETTER yourself. Then, perhaps I'd listen but not until then).
As far as calling you 'boy'?
There's NO QUESTION that You began the name tossing, not I (calling me "crazy spammer" etc.) so when in ROME, I do as the romans do & speak in a language they understand since you have NOT shown me otherwise from YOUR end.
APK
P.S.=> That "spam" bullshit is just that - PURE bullshit (& that is all you've got apparently)... apk