Bulletproof TLS Newsletter #6
FREAK attacks SSL/TLS clients
06 March 2015
This issue was distributed to 11,123 email subscribers.

This week brought us the disclosure of the so-called FREAK attack, whose name stands for Factoring RSA Export Keys. At the first glance, it seemed that FREAK is just a practical exploit for CVE-2015-0204, which is a problem with OpenSSL announced back in January this year. Matthew Green has a good post describing the problem, but we'll get back to that later. Now that a couple of days have passed, it turns out that the problem is much bigger and that all major browsers except Firefox were or are still vulnerable to the same problem, even those browsers that don't rely on OpenSSL. Chrome, Internet Explorer, Opera, and Safari were all reported vulnerable.

To understand the problem we need to go back many years, to the time now long past when the US wouldn't allow export of strong encryption. This led to the creation of so-called export cipher suites, which are limited to 512 bits of security. Back then (about two decades ago), 512 bits was somewhat weak-ish, but certainly not within easy reach of many. Today, of course, it's a different story -- it can be broken within hours, and for as little as $100.

To support export cipher suites, servers have to create and use short-lived 512-bit RSA keys, even when normally using stronger keys (1024 bits originally, 2048 bits these days). The FREAK attack exists for three reasons. First, these 512-bit keys can now be broken by anyone in a matter of hours, and second, some servers keep these "short-lived" keys around for a very long time. What this means is that servers that support export suites are effectively willing to downgrade to only 512 bits of security.

But that isn't enough. Modern clients don't support export suites any more, which means there's no one to ask to use these weak security levels. That's where CVE-2015-0204 comes in. This problem "makes" vulnerable clients accept weak 512-bit RSA keys even when they don't ask to use export cipher suites and even if they don't support them! Normally, a server wouldn't do that, but an active network attacker could.

This has two practical consequences. First, an active network attacker can downgrade any connection to only 512 bits of security, if the conversation is between a server that supports export suites and a vulnerable client. This means that even if the attacker can't break the 512-bit key straight away, she can record the conversation and break the key later... but only a matter of hours later.

With servers that reuse these weak keys, it gets worse. An attacker can retrieve the key by connecting to the server, break the key, then mount an active network attack that allows her to intercept traffic (with a vulnerable client) in real time.

What can you do about this? If you're running a secure server, make sure that you're not supporting export cipher suites. If you're not sure, check with the SSL Labs server test. To protect yourself, upgrade your browser as soon as your vendor releases a patch. OpenSSL was fixed in January, Chrome on OSX this week. If we're lucky, the remaining browsers might be patched next week. To test your browser, use the SSL Labs client test.

You can find further information on the web site maintained by the University of Michigan.