Two New Vulnerabilities With Severe Risk -- Skip-TLS and FREAK

The SMACKTLS team has posted two new major vulnerabilities to internet infrastructure today.

Both of the new attacks require a man-in-the-middle to tamper with inbound and outbound traffic in order to elicit weak encryption. This is usually done by fooling clients into visiting a fake web server through DNS manipulation or manipulation of the HOSTS file.

The first of the two has been named Skip-TLS.

Researchers found that in certain implementations of SSL, you can skip steps of the handshake, and the software will continue the process from that point forward. This allows an attacker to "skip" steps of authentication and selecting encryption ciphers. This effectively nullifies any encryption and can force a vulnerable client to send data unencrypted.

Even worse, as long as the client present a valid certificate from ANY SITE, the Skip-TLS process works on vulnerable clients. This means that if you wanted to fool a vulnerable client into thinking you're at Chase.com (arbitrarily chosen, Chase is no more vulnerable than anyone else) you could present a certificate that you purchased for any other site and it will show as a secure https connection in the browser, not alert the user, and it will have been compromised by Skip-TLS.

The impacted versions of SSL are:
JSSE - Applying the January security updates protects you.
CyaSSL - Versions 3.3.0 and later are protected from this attack.

These libraries are typically used in conjunction with Java apps that require TLS authentication. This can include apps that are used to connect to Amazon Web Services (AWS), Google Services, Paypal, and more.

The most troubling attack is the FREAK attack.

This attack makes use of Clinton-Era cryptography that was made intentionally weak to allow the US to be able to crack any data deemed valuable. This involved export controls that created weaker ciphers than what were allowed to be used in the US. These were called EXPORT RSA ciphers. They shortened the strength of RSA from standard 1024 bit or 2048 bit to 512 bit strength in software that was being exported out of the United States.

Remember that RSA strength is exponential for each bit. This makes the encryption 13407807929942597099574024998205846127479365820592393377723561443721764030073546
976801874298166903427690031858186486050853753882811946569946433649006084096 times less secure than the same software with a 1024-bit key.
(Calculated in Wolfram Alpha)

These cipher suites were very popular in the 90's due to the export controls implemented by the United States. Shipping encryption of any greater strength was considered to be "exporting weapons of war" and carried incredibly harsh penalties.

OpenSSL for reasons that are beyond me, still supports the Export cipher suites that were included in the first versions of OpenSSL that were developed by Netscape back in the 1990's. The export laws were eventually changed, but the Export code still lies in wait in OpenSSL, waiting to rise from the dead and wreak havoc on our high-end TLS encryption.

Essentially what has happened is researchers have found that there is a way to send export-grade keys to OpenSSL and Apple's SecureTransport. What you do is start out the TLS session normally, but when the victim requests the full length 1024/2048/4096 bit RSA key, the attacker sends a 512 bit export key. The victim clients accept this weak key, and move on with encryption using the much weaker key. A 512-bit key can be factored in minutes by a dedicated attacker, in seconds by an advanced persistent threat like a government with significant computing resources. If you factor the RSA key, you can then decrypt the entire session because you see the shared secret of the symmetrical key that is used for that session.

To be clear, it doesn't matter what the rest of the cipher suite is using.

EXPORTRSA-AES-256-CBC-SHA512 is the same strength as EXPORTRSA-DES-40-CBC-SHA0 in this scenario.

The really ugly part about FREAK is the list of vulnerable sites and software:
All Akamai CDN hosted websites (fixes being implemented now)
Any site with a Facebook like button (widely vulnerable until patch)
NSA.gov
Whitehouse.gov
tips.FBI.gov
AmericanExpress.com
Bloomberg.com
Groupon.com
NPR.org
BusinessInsider.com
Kohls.com
Nationalgeographic.com
Forever21.com
JCpenney.com
Jcrew.com
ZDnet.com
Google Android Browser (patches have been distributed to carriers, no ETA from major carriers)
Google Chrome (fixed in current version, including mobile, UPDATE YOUR BROWSERS!)
Opera for Apple OSX and Opera for Linux (Opera for Windows is safe)
Apple Safari (currently vulnerable, tested March 5th 2015 at 5:08 PM CST, no ETA on fixes)
Blackberry web browser
Microsoft Internet Explorer (all versions) (registry-based fix here)
OpenSSL versions older than the January security updates

Protecting yourself from FREAK:
Firefox is unaffected, use it for the time being if your current browser is vulnerable.
Chrome is immune to FREAK as long as you have the most current version.
Avoid using Safari at all until Apple issues a fix.
Update OpenSSL in your Linux install if you haven't recently.

Manually check your browser for vulnerability: https://freakattack.com/

Notice: The VikingVPN website is not vulnerable to the FREAK attack. We only use cipher suites with perfect forward secrecy and manually disabled the EXPORT ciphers with the initial implementation of our website.

Sources:
https://www.smacktls.com/
http://arstechnica.com/security/2015/03/freak-flaw-in-android-and-apple-devices-cripples-https-crypto-protection/
http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html
https://freakattack.com/



< last
next >