[SingCERT] FREAK Attack

Published on Wednesday, 04 March 2015 19:49

[ Background ]

Researchers from IMDEA, INRIA and Microsoft Research discovered a new SSL/TLS bug that allows attackers to conduct man-in-the-middle attacks to downgrade the level of encryption used between a vulnerable browser and a vulnerable server to a weaker, easily crackable level.

According to The Washington Post, the flaw resulted from a former U.S government policy that forbade the export of strong encryption products out of the USA and required that weaker "export grade" products be shipped to customers in other countries. The export-grade encryption codes (such as 512-bit RSA key) are not removed although the restrictions were lifted.


[ Affected Software ]

Client-side

  • Apple Safari browser (both mobile and desktop versions)
  • Android's built-in browser

Server-side

  • OpenSSL 1.01k and older


[ Recommendations ]

For Website Owners

  • Website owners should upgrade affected servers to the latest version of OpenSSL.
  • Website owners whose websites are hosted on content delivery sites such as Akamai should check with the relevant technical support personnel if the website is affected and if they have patched.
  • Website owners should check if their servers are affected by running the following command:
openssl s_client -connect <company's website URL>:443 -cipher EXPORT CONNECTED

If an "alert handshake failure" message is returned, the server is not affected.

For Users

  • Safari users should update Safari as soon as patches are available. Users may choose to use an alternative browser in the meantime.
  • Android users should use an alternative browser instead of Android’s built-in browser. Chrome is unaffected on Android.


[ References ]

https://freakattack.com/
https://www.smacktls.com/
http://www.zdnet.com/article/freak-another-day-another-serious-ssl-security-hole/
http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html
http://www.forbes.com/sites/thomasbrewster/2015/03/03/freak-flaw-hits-android-and-iphone-users/
https://blogs.akamai.com/2015/03/cve-2015-0204-getting-out-of-the-export-business.html
http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/
https://freedom-to-tinker.com/blog/felten/freak-attack-the-chickens-of-90s-crypto-restriction-come-home-to-roost/