Slashdot Mirror
FREAK Attack Threatens SSL Clients
msm1267 writes: For the nth time in the last couple of years, security experts are warning about a new Internet-scale vulnerability, this time in some popular SSL clients. The flaw allows an attacker to force clients to downgrade to weakened ciphers and break their supposedly encrypted communications through a man-in-the-middle attack. Researchers recently discovered that some SSL clients, including OpenSSL, will accept weak RSA keys–known as export-grade keys–without asking for those keys. Export-grade refers to 512-bit RSA keys, the key strength that was approved by the United States government for export overseas. This was an artifact from decades ago and it was thought that most servers and clients had long ago abandoned such weak ciphers. The vulnerability affects a variety of clients, most notably Apple's Safari browser.
I know you can configure some options for PGP to block the use of insecure ciphers, but is there any way to configure a Linux/Debian box so that it refuses to accept insecure ciphers by default? Not just for the browser, but globally for all SSL connections.
I do not fail; I succeed at finding out what does not work.
Factoring Attack on RSA-EXPORT Keys
Why do people go to the trouble of making an acronym if they're going to screw it up anyway?
How can I believe you when you tell me what I don't want to hear?
This might be academic if it was just a history lesson — but for the past several months, U.S. and European politicians have been publicly mooting the notion of a new set of cryptographic backdoors in systems we use today. This would involve deliberately weakening technology so that governments can intercept and read our conversations. While officials are carefully avoiding the term “back door” — or any suggestion of weakening our encryption systes — this is wishful thinking.
Just because the NSA is trying to weaken encryption standards, why do you have to pile on too!
-- Tigger warning: This post may contain tiggers! --
I tried the test on up-to-date Firefox (36.0) and it's immune, but Chrome on Android (40.0.2214.109) is vulnerable.
Oh, no! You have walked into the slavering fangs of a lurking grue!
You could implement your own version of the SSL libraries that don't implement "weak" encryption protocols. When confronted by a client/server session that tried to default to the vulnerable mode, the client would get a "no failover" error message. The homebrew version would be no help in "forcing" a secure SSL session, and the browser/server would not be standards "compliant". Oh well. Oh, it would have to be a browser with available source code; hello firefox, goodbye safari.
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
âoeIn practice, I donâ(TM)t think this is a terribly big issue, but only because you have to have many âoeducks in a rowâ: 1) find a vulnerable server that offers export cipher suites; 2) it should reuse a key for a long time; 3) break key; 4) find vulnerable client; 5) attack via MITM (easy to do on a local network or wifi; not so easy otherwise),â said Ivan Ristic of Qualys.
(Unless you're the NSA, then you have more MITM "opportunities" than you have people to exploit them...automation coming soon...)
Yes. http://www.openssl.org/docs/apps/ciphers.html
The question is does OpenSSL accept the weak ciphers as a downgrade bug even when EXPLICITLY DISALLOWD.
I haven't seen answered in any of the linked articles so am digging/testing.
After the last couple of bugs my organization set the explicit cipher/algorithm/has acceptable list. The export ciphers were excluded on purpose from our list.
SSL Labs https://www.ssllabs.com/ has a recommended list buried in their documentation somewhere.
Learning HOW to think is more important than learning WHAT to think.
"The so-called FREAK attack - short for Factoring attack on RSA-EXPORT Keys - is possible when an end user with a vulnerable device - currently known to include Android smartphones, iPhones, and Macs running Apple's OS X operating system - connects to an HTTPS-protected website configured to use a weak cipher that many had presumed had been retired. At the time this post was being prepared, Windows devices were not believed to be affected, and the status of Linux devices was unknown"
Answering myself to preserve the thread.
It looks like the export cipher suite must be enabled for this to work. So if you didn't turn off old, busted ciphers then you're potentially vulnerable.
Meh. Set your approved cipher suite and be done with it.
Learning HOW to think is more important than learning WHAT to think.
Google forked their own version of SSL called Googlessl. My guess is chrome would use this.
The big question is Googles implementation based on openssl or libressl? The bug might still be there if former
http://saveie6.com/
So would clients built using the SSL libraries from the (stripped-down, un-borked) version of SSL that the OpenBSD team recently did - LibreSSL - vulnerable as well?
MITM positioning is a prerequisite, but that's not hard if you run a Wi-Fi hotspot. This is a bid-down attack, tampering with initial negotiation to limit the cipher suite and strength to something more breakable without raising alarms.
If you can additionally prevent the use of PFS cipher suites so the 512 bit key is used for pre-master secret encipherment, you need only break the static 512-bit key once to read all the traffic protected by it.
...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
Ciphersuite Negotiation is a liability. A good security protocol will not have it. It is empirically impossible to get right.
Pick one set of algorithms, good enough for the lifetime of the device or system and any changes are done by replacing the single static suite on both ends, say once per decade. Make the whole thing so utterly simple to implement that it would be hard to get wrong.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
What is sad is that OpenSSL disabled the EXPORT1024 ciphersuites in 2006. If you don't know what these are, in year 1999 the US government raised the limit to 56-bit encryption and 1024-bit RSA. They were described in https://tools.ietf.org/html/dr... . And for the record it was in year 2000 that the restrictions was removed for "retail" software.
Because there's still a difference if the local police department has a key to your house or whether the lock is easily picked with a coat hanger without leaving any traces of trespassing.
You see, it's not ONLY the government that's out to get you.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Because clients are run by idiots. Sorry, but it's true.
Clients are run by people who look at the funny acronyms and you can watch their eyes glaze over. If they know anything about it, they will know that there are keys and these keys depend on how big the number next to them is. That there are symmetric and asymmetric keys and that 512bit can be a LOT if it's symmetric and insignificantly little if it's asymmetric is already something you won't be able to teach them.
So configure your servers, people. Configure them to ONLY accept sensible ciphers. Yes, that means that people with Internet Explorer 5 might not be able to use your page. Then inform them to fucking get a browser that was made in this millennium! These people are a security risk and bluntly, if you want to do business with them, you do not want to do business with me.
Or at least I don't want to do business with you!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I extensively make use of this site for cypher selection:
https://wiki.mozilla.org/Secur...
There are 3 levels of configuration proposed which you can use as a starting base for your own selection. The EXPORT cyphers are explicitely marked as 'Mandatory discards'. Any serious website running with these cyphers should be fined for exposing their visitors.
I didn't see it mentioned in the article or summary which ones are affected. All I saw is "including OpenSSL." How about an actual list of affected software? Or maybe I'm just blind and missed it, but I don't think so.
512 bits isn't a very high a bar anymore.
It took 6 months and 8000 MIPS-years to factor RSA-155 back in 1999.
According to Dhrystone, the CPU in the computer I'm typing this post on could do those 8000 MIPS-years in roughly 3 weeks and you could probably knock that down to less than a day if you brought the GPU into the matter, let alone something with some real oomph.
upon the advice of my lawyer, i have no sig at this time
It adds to the history of cryptography. The issues did not stop with an early cell phone, new hardware at an embassy in the 1970's or early banking codes.
Generations have been told to use, supplied with or trusted brands. The more weak tame code that is found, the more people can talk about how.
Domestic spying is now "Benign Information Gathering"
You could theoretically do some packet inspection on the handshake and send a spoofed RST if you see something during the exchange you don't like.
I've only ever dug into the certificate exchange portion of the handshake. I'm assuming the cipher negotiation is also in the clear.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
The SSL implementation is NOT part of the kernel.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Just configuring openssl is not enough. Theres at least THREE different SSL libraries in common use on linux and the chances are you have applications using all of them.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Says the AC who is too Chicken to post under his name. Seems that its people like him that are the real problem. Just sayin
I was thinking server side, for the web server. But yes, you need to ensure every service you provide that uses TLS is properly configured.
I'm not sure how much this would impact something like SMTP-S or IMAPS, since the connection duration on those types of service is so short.
The big target is going to be web servers.
Learning HOW to think is more important than learning WHAT to think.
Then you're part of the problem.
If vendors didn't pander to people running IE 5 then they would sack the fuck up and call their nephew to spend 5 minutes installing Teamviewer and Google Chrome.
People who refuse to run modern shit on their hardware may be the majority, but only because assholes are willing to bend over backwards selling them "lazy" as a commodity.
Not sure what the GP is going on about.
In my observations, retiring Windows XP drastically reduced the number of issues from "my stuff doesn't work, it's new, I bought it 10 years ago, why not?" complaints.
There was a small cadre of folks re-installing XP on new machines (I did it too) because there wasn't a reason not to. After Nosebleed and Hearbeep (or whatever) happened last year I shut off old ciphers on all my stuff. And know what? NOBODY NOTICED. I get an occasional hit from China or other shitholes I don't care about trying it, and they often come along with other probes so it's not real traffic.
So the point is, GP isn't correct when he's talking about his "majority," there is no such group. They're gone. The idea that there is a technically adept person running old shit because it still works, who also doesn't know it's risky, and also can't afford to upgrade to new shit is a Venn diagram with three unconnected circles on it.
Go ahead and run what you want as a hobby if you get fulfillment from it. If your hobby puts you at risk, or can't be used somewhere, tough shit.
It's a downgrade attack that uses ancient old ciphers. Can we assume that any site that is vulnerable to FREAK is also vulnerable to other downgrade attacks and generally is likely to use old and insecure ciphers?
I mean if you score an A on ssllabs tests which already penalise you for weak ciphers it shouldn't be an issue right?
Sigh.
So, as I understand it, the current situation is:
- We can't allow use of RC4 because it's weakened significantly.
- If we disallow RC4, we open ourselves up to BEAST in practical terms.
- We need to move towards PFS and TLS 1.2 but the major libraries don't support it in major stable versions and/or we break an awful lot of the world's clients in doing so.
- A lot of the chain certificates out there are still using only SHA1 which makes them weak.
- And now we have to start worrying about clients that allow downgrade attacks on the connection.
- We can't use OpenSSL at the moment because all the interesting new features (TLS 1.2, etc.) are only in Beta.
- We can't use LibreSSL at the moment because it isn't available in many mainstream distros.
Seems to me like we really need a massive revamp of security here and ditching old clients entirely.
Almost every site on the Qualsys Labs tests rates B at best now because of the current situation (from which they recognise there is no practical escape even though it should probably rank them all lower): https://www.ssllabs.com/ssltes...
I think it's time we just ditched everything and provide a way for browser security to be pulled out of the browsers entirely and made independently upgradeable, so you can browse a modern TLS 1.2 site with a browser that's a few weeks old.
Users who are stuck using browsers that are incapable of applying more up-to-date ciphers are nowhere close to the majority. They're over an order of magnitude away from being the majority, in fact.
For others joining, apk is referring back to this single-sentence post of mine and the ensuing thread.
Anyway, I have some time to kill and karma to burn.
AdBlock doesn't do a FRACTION of what hosts can and for FAR LESS resources consumed... period/fact!
I agree entirely that extensions are far less efficient than hosts. I'm inclined to disagree that the extensions do less hosts, but it's not a point worth arguing for me. What's more important is that, as I already said in response to you, this isn't an either/or. Use both, since each of them does stuff better than the other. Hosts can't do everything that ad-blocking extensions can, and ad-blocking extensions can't do everything that hosts can. Simple as that.
At least I can REMEMBER what I said that week or not, unlike yourself... lol!
I remember what I said. I'm unclear both why you'd suggest I can't or why it's in any way relevant.
What doesn't "apply" on the topic @ hand in what I wrote too, boy?? I am *NEVER* off topic on hosts (I only respond to "Almost ALL Ads Blocked" fanboys like you
You do realize that you're entirely off-topic right now, don't you?
The reason you were off-topic with your original attack on AdBlock is because I wasn't defending AdBlock to begin with. On the contrary, the original post I made was advocating that people abandon AdBlock. You apparently saw "AdBlock" and assumed I was a fanboy, despite my explicitly encouraging people to ditch it.
As for your request that I provide proof, I'm not sure what it is that you're referring to. I'm more than happy to "eat my words" when I'm wrong, since it means that I will know better in the future, but I never suggested I had proof of anything related to hosts. The only evidence I noted at any time was the evidence that uBlock is more efficient than AdBlock. That's it.
Hosts is significantly more efficient than either of those extensions, of course, but it works best when it's paired with them, rather than against them.
(Sorry for the delay...was out of town this weekend and just got back)
Oh, is that all you were asking? The simple answer is that I didn't say I used hosts prior to my first response to you. My original post was constrained to the topic of ad-blocking extensions, hence why I didn't mention the fact that I also use hosts to complement the extension(s), and hosts hadn't come up otherwise at any time recently, so you're correct about it not being in my recent comment history. I don't know why you think that I was claiming I had noted it recently, nor do I understand why whether I did or didn't would even matter.
If Opera can do that out of the box, great! That said, I was pointing out that hosts itself can't do it, and Opera doesn't disprove that. Moreover, not everyone uses Opera, and those of us on other browsers still need to have a way to take advantage of the feature since hosts can't do it for us...hence our use of extensions to complement hosts. But if Opera fills that need for you in place of using an extension, by all means, go for it and enjoy the lack of extensions. I have no issues with your approach, though it isn't one that I will follow, since I'm not a fan of Opera for my own use.
And thanks for the link! Let me know when it works on other OSes, since I don't use Windows at home. In the meantime, I will point out that, from what I can tell, it appears that it's still a bit more work than the all-in-one-fully-automated packages that modern ad-blocking extensions offer, since it requires some configuration and setup that will put off quite a few people, whereas many of these extensions don't require any sort of setup or configuration. Even so, apps like yours help to make hosts MUCH more manageable and MUCH more approachable for people who aren't used to mucking around in their computer's innards, so kudos to you for putting that together.
See subject: You screwed up & never said you use hosts once there (prior to your saying you did AFTER you gave me guff telling me to "read more closely")...
I think I understand the confusion now. The "read more closely" comment wasn't related to my using hosts. As you correctly said, you couldn't possibly know that I used hosts until I said so, and I said I used it in the same comment where I said "read more closely". The "read more closely" comment was in relation to the fact that you posted an attack on AdBlock in response to my initial post, presumably because you thought my initial post was a defense of AdBlock (which it wasn't), which I believed was the result of your not having read my initial post carefully enough. That's all.
Hosts unquestionably DO MORE THAN ANY SINGLE BROWSER ADDON OUT THERE, & for less resources consumed by FAR
We can both agree that hosts is very good at doing what it is designed to do and that it's more efficient at doing what it's designed to do than extensions are. Hosts is a purpose-built tool at a lower level that does a specific set of tasks extremely well. Extensions and add-ons are tools that do a huge variety of tasks reasonably well. Arguing that hosts is both more efficient AND more capable is like arguing that a traditional GPU is both more efficient AND more capable than a traditional CPU, even though they are intended for different purposes.
It works. Better than ANY OTHER like it in fact [...]
That's great. I just wish your app worked for me. I'm sure I could port it if I wanted to, since I have network programming experience at much larger scales than this (my grad research involved distributed, massive-scale web crawlers), but it's not an important enough issue for me to set aside the time necessary. I'm happy to just intermittently update my custom hosts file manually until a fully-automated solution arrives that works for me.
If we're constraining your assertion to ad-blocking addons, then I'd be willing to concede that they may indeed be both lesser-featured and less efficient (I'm not willing to do the research necessary to ascertain whether it's true or not). Even so, I still contend that some have features that hosts lacks, and that as a result they remain useful as a complement to hosts.
If we're talking about addons in general, as your assertion was originally phrased, then no, hosts does not do more than any addon. Off the top of my head, I'd say it's fairly safe to assume that Greasemonkey, for instance, does far more than hosts ever will. But that's an unrelated discussion, or at least I hope it is.
I'm simply asserting that hosts and ad-blocking addons do different things and that they're best used together, rather than to the exclusion of the other, but that where their features do overlap, I readily agree that hosts is more efficient. I'm fairly certain that's already a valid stance, and if we can't agree on it, I'm not going to argue it further.
Likewise, I'm not going to argue about which of them "does more". I don't know how you'd objectively quantify that, nor do I see why that matters at all, nor do I have any interest in arguing it with anyone. Yes, you have a list of a lot of things that hosts can do. I'm sure someone else has a nice list of everything that ad-blocking addons can do. And I'm equally sure that we can pad both lists by splitting up items and rewording them a bit. Seeing which list has more items in it is a pointless and subjective exercise, since I'm only interested in using a subset of those features anyway, and don't care in the least which of them "does more".
All I care about as a user is if the addons can do something I want to do that hosts can't do (they can) and if hosts can do something I want to do that the addons can't do (it can). As such, I'll continue using both.
You can't argue in favor of "Almost ALL Ads Blocked" [...]
Let me stop you right there.
You keep repeating that quote over and over again as if it's something I said, yet never once did I say or argue that. Stop putting words in my mouth. If you'll cease treating me as an antagonist and will stop constructing straw men arguments for a moment, you'll find that we already agree on almost everything and have been from the start.
It's SO nice NOBODY can prove it wrong... TRUTH is like that.
I agree. Your list is valid. I never argued otherwise. That's also why I never directly addressed it, since there's no point in addressing topics that we agree on.
Where is it then?
Darned if I know, and darned if I care. As I said before and as I'll explain in more detail below, those sorts of lists are useless for the discussion we're having.
I'll tear it in 1/2 vs. hosts too... or, as I did with specific content blocking, how Opera (or other browsers) can do that
You pointed out an alternative solution that works in one browser. That's great for some people, not all. Having alternatives is certainly a good thing, but it's not the complete solution you make it out to be. You've failed to provide me with an alternative that provides those features in Chrome, Firefox, Internet Explorer, or Safari, all of which are more widely used than Opera. As such, add
How you could be SO obstinant & run from facts I put out, I will NEVER know, or understand
I'm obstinate about refusing to accept absolute assertions regarding subjective matters. I don't disagree with you, but I don't agree either, because I think there is no basis for agreement or disagreement.
My current problem is that you're saying, "X does more" and are using that itemized list of features as the basis for your assertion. The thing is, I bet we could double the length of your list without too much difficulty if we got a bit more specific about some of the things it does. And it'd all still be perfectly valid and accurate. Wouldn't you agree?
Likewise, any list that exists for the other side could be increased or decreased in a similarly arbitrary manner without making it untrue. As a result, arguing that "X does more than Y" on the basis of such lists is a meaningless argument, since we could easily consolidate or split up items in those lists to inflate/deflate the number of items present, while all of it is still accurate and true.
Until you can provide an objective basis for asserting that one "does more" than the other, I can neither agree nor disagree with that assertion. THAT'S what I'm being obstinate about.
I had to put YOUR WORDS in your mouth
Except that they weren't my words. I can speak for myself.
You couldn't even remember NOT noting hosts in our exchange originally!
Sure I could...once I understood that that's what you were asking, but it took two or three posts before I even understood what you wanted. Once I did, I realized I had miscommunicated earlier, so I clarified what I had said.
Hosts work on ANY browser (or app) on a PC operating system - not just "some" as you said...
I did not say it only worked on some. In my very first response I even listed hosts' ability to work across browsers and services as one of its major benefits.
My only claim regarding browser-specific functionality was related to features that hosts doesn't even try to do, such as the specific content blocking that Opera supports. I said that addons are useful to people who want those features, since hosts don't provide them, and not everyone uses a browser that has them built in.
[...] you're NOT denying hosts are more efficient & do more than "Almost ALL Ads Blocked" by FAR, + for less resources consumed - that's ALL I really needed to see or hear... apk
I neither deny it nor accept it. To me, it's like saying that a car does more than a computer...maybe it's true, but how would we objectively measure that? A list of features is a subjective metric.
I will agree with you, however, just as I have from my very first response, that where their features overlap, hosts is more efficient.
P.S. I don't know if I've ever been asked to defend so many things I didn't say. Just to make it clear where I have been standing all along...
1) Where their features overlap, hosts is more efficient than addons.
2) Hosts does things addons don't do, and addons do things hosts doesn't do.
3) Hosts works across all browsers and services, addons don't.
4) Addons are easier to maintain and use than hosts.
1-3 are readily apparent facts, so I'm confused why we haven't reached agreement, and #4 is a matter of opinion.
To me, this was never a debate at all, since we're on the same side: people should be using hosts, and tools like the one you make are beneficial in helping people to use hosts more easily.
I'm just sad you haven't realized we're on the same side yet and have continued resorting to antagonistic approaches towards me. I mean, what would I "EVER try" again: telling people to ditch AdBlock because it's inferior to alternatives? Because that's what started this whole discussion.
That wasn't intended to be antagonistic towards you, though I can certainly see how it would be taken that way since it was expressed rather rudely of me, so I do apologize for that. What I was trying to convey is that you're undermining your own arguments with your style of posting. It was your way of expressing your idea that I took issue with, not you.
When I saw your original response to me, I read a few of the bolded phrases and came to the incorrect determination that it was a spam post from one of the numerous spammers Slashdot has. It wasn't until your second post that I realized you were a normal person who was actually trying to make a point. That's why I said it looked like it was from a crazy spammer. I continue to stand by what I said (though not the way I said it), since I still believe that your formatting is undercutting the message you're seeking to convey to others.
The reason why I referred to you as being antagonistic towards me is because of things like your continued use of "boy" as a derisive term aimed my way, as well as a case or two where you've chosen to engage in baseless ad hominem attacks against me.
I didn't call you a crazy spammer. I said you looked like one with the way you formatted your post, and I stand by that claim. You're welcome to disagree or disregard what I've said.
As for your points, I already said I agreed with all of them...
It's SO nice NOBODY can prove it wrong... TRUTH is like that.
I agree. Your list is valid. I never argued otherwise. That's also why I never directly addressed it, since there's no point in addressing topics that we agree on.
And I really did dismiss your original post as a spam post, just based on the way it was presented. It really wasn't until your second post that I realized you weren't a spammer. Whether you believe that or not is entirely your choice, but it is the truth. Take it into account or don't. It's just an anecdote, after all.