Slashdot Mirror
FREAK Attack Threatens SSL Clients
msm1267 writes: For the nth time in the last couple of years, security experts are warning about a new Internet-scale vulnerability, this time in some popular SSL clients. The flaw allows an attacker to force clients to downgrade to weakened ciphers and break their supposedly encrypted communications through a man-in-the-middle attack. Researchers recently discovered that some SSL clients, including OpenSSL, will accept weak RSA keys–known as export-grade keys–without asking for those keys. Export-grade refers to 512-bit RSA keys, the key strength that was approved by the United States government for export overseas. This was an artifact from decades ago and it was thought that most servers and clients had long ago abandoned such weak ciphers. The vulnerability affects a variety of clients, most notably Apple's Safari browser.
Or, you know ... Factoring-attack on RSA-Export Keys.
Seriously, there's a lot of different ways to do an acronym (or a backronym as this likely is).
My suggestion? Get over it.
Lost at C:>. Found at C.
I tried the test on up-to-date Firefox (36.0) and it's immune, but Chrome on Android (40.0.2214.109) is vulnerable.
Oh, no! You have walked into the slavering fangs of a lurking grue!
Yes. http://www.openssl.org/docs/apps/ciphers.html
The question is does OpenSSL accept the weak ciphers as a downgrade bug even when EXPLICITLY DISALLOWD.
I haven't seen answered in any of the linked articles so am digging/testing.
After the last couple of bugs my organization set the explicit cipher/algorithm/has acceptable list. The export ciphers were excluded on purpose from our list.
SSL Labs https://www.ssllabs.com/ has a recommended list buried in their documentation somewhere.
Learning HOW to think is more important than learning WHAT to think.
"The so-called FREAK attack - short for Factoring attack on RSA-EXPORT Keys - is possible when an end user with a vulnerable device - currently known to include Android smartphones, iPhones, and Macs running Apple's OS X operating system - connects to an HTTPS-protected website configured to use a weak cipher that many had presumed had been retired. At the time this post was being prepared, Windows devices were not believed to be affected, and the status of Linux devices was unknown"
Answering myself to preserve the thread.
It looks like the export cipher suite must be enabled for this to work. So if you didn't turn off old, busted ciphers then you're potentially vulnerable.
Meh. Set your approved cipher suite and be done with it.
Learning HOW to think is more important than learning WHAT to think.
So the arconym is FARK? Sponsored by Drew.
Your hair look like poop, Bob! - Wanker.
So would clients built using the SSL libraries from the (stripped-down, un-borked) version of SSL that the OpenBSD team recently did - LibreSSL - vulnerable as well?
Factoring Attack on RSA-EXPORT Keys
Why do people go to the trouble of making an acronym if they're going to screw it up anyway?
Factoring Attack on Rsa-exporT keys?
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
One set of algorithms, good for the lifetime of the device... hmm... you mean, like, say, SSLv3 until about 6 months ago? If we hadn't found POODLE, it would still meet all criteria for a good, secure algo for the foreseeable future. At the very least for the lifetime of any device build within the last year (until about 6 months, of course).
There is no such thing as "guaranteed to be secure for the lifetime of a device". All it takes is to find a fundamental flaw in the algorithm (like, well, POODLE) and what was supposedly bulletproof for the next few decades crumbles like a house of cards the next day.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Because clients are run by idiots. Sorry, but it's true.
Clients are run by people who look at the funny acronyms and you can watch their eyes glaze over. If they know anything about it, they will know that there are keys and these keys depend on how big the number next to them is. That there are symmetric and asymmetric keys and that 512bit can be a LOT if it's symmetric and insignificantly little if it's asymmetric is already something you won't be able to teach them.
So configure your servers, people. Configure them to ONLY accept sensible ciphers. Yes, that means that people with Internet Explorer 5 might not be able to use your page. Then inform them to fucking get a browser that was made in this millennium! These people are a security risk and bluntly, if you want to do business with them, you do not want to do business with me.
Or at least I don't want to do business with you!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I extensively make use of this site for cypher selection:
https://wiki.mozilla.org/Secur...
There are 3 levels of configuration proposed which you can use as a starting base for your own selection. The EXPORT cyphers are explicitely marked as 'Mandatory discards'. Any serious website running with these cyphers should be fined for exposing their visitors.
512 bits isn't a very high a bar anymore.
It took 6 months and 8000 MIPS-years to factor RSA-155 back in 1999.
According to Dhrystone, the CPU in the computer I'm typing this post on could do those 8000 MIPS-years in roughly 3 weeks and you could probably knock that down to less than a day if you brought the GPU into the matter, let alone something with some real oomph.
upon the advice of my lawyer, i have no sig at this time
The SSL implementation is NOT part of the kernel.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register