This article is more than 1 year old
FREAK show: Apple and Android SSL WIDE OPEN to snoopers
OpenSSL, iOS and OS X tricked into using weak 1990s-grade encryption keys
Security researchers are warning of a flaw in OpenSSL and Apple's SecureTransport – a hangover from the days when the US government was twitchy about the spread of cryptography.
It's a flaw that allows an attacker to decrypt your login cookies, and other sensitive information, from your HTTPS connections if you use a vulnerable browser such as Safari.
Apple's SecureTransport is a library used by applications on iOS and OS X, including Safari for iPhones, iPads and Macs. OpenSSL is open source, and used by Android browsers, and many other things.
OpenSSL and SecureTransport encrypt connections to online banking, webmail, and other HTTPS websites, and so much else on the internet, to thwart eavesdroppers.
It turns out the encryption used by OpenSSL and SecureTransport can be crippled by an attacker on your network: apps can be tricked into using weak encryption keys, allowing determined miscreants to pluck login cookies and other sensitive information out of your SSL-protected traffic.
"A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204," according to freakattack.com, a website explaining the security flaw.
"Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites."
You can visit freakattack.com to check if your web browser is vulnerable. Reg readers have told us that Google Chrome for OS X prior to version 41.0.2272.76, BlackBerry OS 10.3, and Internet Explorer 11 in the Windows 10 Technical Preview, are flagged up as vulnerable.
How has this happened?
Back in the early 1990s, the US government banned Americans from selling software overseas unless the code used so-called "export cipher suites" that involved encryption keys no longer than 512 bits.
At the time, this was supposed to ensure that Uncle Sam exported relatively weak encryption to the rest of the world, and kept the stronger stuff for itself.
The restrictions on crypto-exports were lifted, but some implementations of the TLS and SSL protocols still support these 1990s export-strength tech.
Fast forward to today
This latest flaw, highlighted today and dubbed FREAK (Factoring RSA Export Keys), is exploited during the moments when a secure connection is established but the encryption has not started.
A vulnerable client (such as a web browser, smartphone or internet-of-thing gizmo) starts talking to a server (such as the machine behind a HTTPS website), and lists the encryption algorithms and key lengths it supports and those it prefers. Ideally, these are all strong ciphers and long keys.
An attacker able to intercept traffic between the client and the server can tamper with that message to say the client only wants weak-ass export-grade keys, such as a 512-bit RSA key.
Due to bugs in OpenSSL and SecureTransport, if the server shrugs its shoulders and replies with a weak key, the client will accept it, and the encryption process begins.
Now, 512-bit keys used to be considered good enough 20 years ago, but they aren’t that tough to crack these days. $100 on Amazon Web Services, and a couple of hours computing, should crack most keys – allowing the contents of the intercepted TLS/SSL communications to be decrypted.
An analysis of the attack by Assistant Research Professor Matthew Green of Johns Hopkins University's Information Security Institute in Maryland summarizes the situation thus:
- In the client's Hello message, it asks for a standard 'RSA' ciphersuite.
- The MITM attacker changes this message to ask for 'export RSA'.
- The server responds with a 512-bit export RSA key, signed with its long-term key.
- The client accepts this weak key due to the OpenSSL/SecureTransport bug.
- The attacker factors the RSA modulus to recover the corresponding RSA decryption key.
- When the client encrypts the 'pre-master secret' to the server, the attacker can now decrypt it to recover the TLS 'master secret'.
- From here on out, the attacker sees plaintext and can inject anything it wants.
But what servers in this day and age are configured to drop down to 512-bit keys if asked to by a client? You would expect most to support 2048-bit keys as a minimum, right?
An estimated 36 per cent of 14 million browser-trusted websites scanned by researchers will drop down to 512-bit keys or below, as will 26.3 per cent of the probed IPv4 space. About 12 per cent of the Alexa top one million most popular websites will do so, too.
Whitehouse.gov, the FBI tips line tips.fbi.gov, and amusingly nsa.gov also happily drop down to weak keys if asked nicely.
In short, if you're using a vulnerable web browser or other program, and you visit one of these lax websites, someone able to intercept your traffic (think a dodgy Wi-Fi network) can silently decrypt your connection to log into your online accounts or inject malware into your browser.
Patches for everyone
In January, OpenSSL released a patch for the bug, CVE-2015-0204, to sort out the issue, which it ranked as "low" severity. Apple has said it will patch SecureTransport for OS X and iOS, and most operating systems bundling OpenSSL should rollout the fix soon enough if not already.
Check for updates for your software and OS in the usual way.
It's bad news, though, for people stuck on old Android, or with embedded stuff in their home, office and factories that cannot be updated – well, until every website on Earth disables export-grade cryptography.
And it shows the knock-on effects of buggering about with technology for political purposes.
"There is an important lesson here about the consequences of crypto policy decisions: the NSA’s actions in the ‘90s to weaken exportable cryptography boomeranged on the agency, undermining the security of its own site twenty years later," said Canadian security expert Professor Ed Felton.
"Next time you hear a government official ask to modify a security system to protect their own access to data, ask yourself: What are the side effects? How do we know we won’t regret this later?"
It's a very timely question. The head of the NSA is pushing hard for a backdoor (although he doesn’t like that term as it "sounds sinister") into encryption systems because, uh, terrorism, despite warnings from security professionals.
Hopefully attacks like this may make him think again, but we're not holding our breath. ®