back to article FREAK show: Apple and Android SSL WIDE OPEN to snoopers

Security researchers are warning of a flaw in OpenSSL and Apple's SecureTransport – a hangover from the days when the US government was twitchy about the spread of cryptography. It's a flaw that allows an attacker to decrypt your login cookies, and other sensitive information, from your HTTPS connections if you use a …

  1. Adam 1

    >FREAK (Factoring RSA Export Keys)

    I'm just glad that we have a proper acronym for this vulnerability.

    1. asphytxtc
      Stop

      What? No logo? How can we take this vulnerability seriously...

    2. Crazy Operations Guy
      Headmaster

      But shouldn't the acronym be FREK?

    3. Anonymous Coward
      Anonymous Coward

      Acronym

      Why not "Factoring USA-Compromised Keys"?

  2. Mark 65

    A Question

    The list of how to use items has something along the lines of: convince to use crap key, factor key, then can inject what they want into the stream. Now, given we are also told that to factor the key would require about $100 of processing on AWS would I be right in suggesting this is more of a TLA flaw or highly targeted spear-fishing exercise toolkit rather than something your average pleb should fear? i.e. for the man on the street it is more of a theoretical exercise than a reality if we ignore for a moment those special folks at the NSA and GCHQ?

    1. Flocke Kroes Silver badge

      Re: A Question

      Have you got over $100 in your bank account? Is your credit limit over $100? Can you borrow $101 from Wonga?

      1. MacroRodent

        Re: A Question

        Also, how long would factoring the 512 bit value take on a modern top of the line CPU you already might have in your PC? (Or if not the CPU, then the GPU).

      2. Chris King

        Re: A Question

        Can criminals steal $100 from you in another crime to finance this one ?

        Cost is not a deterrent to someone who can steal or con their way to affording something.

    2. Brewster's Angle Grinder Silver badge

      Re: A Question

      Accoording to Matthew Green it takes a lot of time to generate the keys. So a server will reuse the key; specifically, "Apache mod_ssl by default will generate a single export-grade RSA key when the server starts up, and will simply re-use that key for the lifetime of that server....[which means] you can obtain that RSA key once, factor it, and break every session you can get your 'man in the middle' mitts on until the server goes down."

      This point should've been in the article.

      1. Mark 65

        Re: A Question

        @Brewster: Thanks, that's an important missing point.

        On my previous comment and responses, that $100 is easy to come by is irrelevant as that implies a targeted attack on the client end or else you need to be able to afford to MITM however many clients to pursue the necessary pot of gold.

        The fact that this missing (in the article) information states you can target a server which is using a single (per uptime) key gives rise to a much better use of a $100 once-off outlay and opens the attack up to all and sundry.

  3. Anonymous Coward
    Anonymous Coward

    Android 4.4.2 (Kit Kat) appears to be vulnerable.

    1. Dazed and Confused
      Unhappy

      Why was that down voted?

      Pointing my SGS4 with Android 4.4.2 at the site says it's vulnerable.

      1. Anonymous Coward
        Meh

        Re: Why was that down voted?

        It happens a lot here, just ignore it. Show a Fanboy a fact they don't like and accept the down votes.

        I would LOVE to see Reg's traffic stats to see how many come from Google, Apple and Microsoft sites.

    2. Anonymous Coward
      Trollface

      Ouch....sorry this is going to hurt.

      Internet Explorer on Windows phone is NOT vulnerable.

      Sorry for any embarrassment caused.

      1. Anonymous Coward
        Angel

        Re: Ouch....sorry this is going to hurt.

        So Windows and Explorer are now the most secure platforms available?

        Surely a sign that the end times are upon us!

      2. Daniel B.
        Boffin

        Re: Ouch....sorry this is going to hurt.

        Internet Explorer on Windows phone is NOT vulnerable.

        Sorry for any embarrassment caused.

        Blackberry OS 6 here, NOT vulnerable as well. Looks like I'm being vindicated about saying that BBOS was more secure than the popular stuff.

        1. Anonymous Coward
          Anonymous Coward

          Re: Ouch....sorry this is going to hurt.

          HTC One (M8) with Android 5.0.1 (latest versions of everything)

          Built in HTC Internet app (7.0...): Vulnerable

          Google Chrome (40.0.2214...): Vulnerable

          Opera (27.0.1698...): Vulnerable

          Maybe it's just an Android thing and I'll have to wait until I get another OS upgrade from HTC in a year...

          1. Dan 55 Silver badge
            Thumb Up

            Re: Ouch....sorry this is going to hurt.

            Happily Firefox Mobile is immune from this problem. If you can't get Android updates then probably the only secure browser is Firefox because it's not a Webkit skin and it uses its own SSL libraries.

  4. Kevin McMurtrie Silver badge
    WTF?

    Stuck on old Android

    This is an issue with telcos locking down phones that they claim they're selling to you. You should never buy a locked phone. You will regret it in 6 months when you've hit a major bug and the telco offers to fix it with a $250 phone swap.

    BTW, Apple stops providing security patches to older models too and offers no workaround other than switching to Linux or buying a new computer that isn't actually any faster.

    1. Anonymous Coward
      Anonymous Coward

      Re: Stuck on old Android

      About a year ago Apple released a security update for iOS 6 to version 6.1.6 - the latest version a 3gs can run which was ALMOST FIVE YEARS OLD at the time. I would not be shocked if a version 6.1.7 pops out in a few weeks, though maybe supporting the 3gs almost six years after its release is asking a bit much.

      The situation with security patches for iOS is not even remotely comparable to Android. Try again.

      1. Anonymous Coward
        Anonymous Coward

        Re: Stuck on old Android

        iOS 6 is three years old.

        And someone complained - and still complains - MS stopped supporting a fourteen year old OS....

      2. Chris King

        Re: Stuck on old Android

        Five years is "obsolete" in Apple terms, but interestingly no iPhones apart from the original model are currently listed at https://support.apple.com/en-us/ht1752 - it's possible the 3gs might get an update, but I wouldn't bank on it.

    2. Adam 1

      Re: Stuck on old Android

      I'm completely sure Google will have patched this 90 days after it was reported.

    3. Anonymous Coward
      Anonymous Coward

      Re: Stuck on old Android

      What? Your comment makes it sound as though you can run Linux on unsupported Apple phones...

      If you're (as I know you are) talking about Apple computers, well you can run a whole lot more than Linux on them. Open your mind dude!

    4. Anonymous Coward
      Anonymous Coward

      Re: Stuck on old Android

      Computers or phones?

      My 2010 Mac Mini is still supported by OSX.

    5. Dazed and Confused

      Re: Stuck on old Android

      No just an issue for people with locked phones with nabbled SW, unlocked phones can have this too.

  5. Mark 85

    IE10???

    According freakattack.com, the IE10 browser I have is vulnerable but Firefox (browser of choice, first/last/always currently) isn't.

    Yeah... I'm lax in not upgrading IE10 to 11. It's my backup for one site that I use daily that IE11 doesn't play nice with.

    1. Geoff Campbell Silver badge
      Black Helicopters

      Re: IE10???

      Chrome v40 appears to be safe.

      GJC

      1. Anonymous Coward
        Anonymous Coward

        Re: IE10???

        I think chrome 40 is vulnerable but 41 (stable release around today) is not.

        1. thesykes

          Re: IE10???

          Running Chrome v40 and the checker website says all OK.

    2. Anonymous Coward
      Anonymous Coward

      Re: IE10???

      You stay on an insecure browser for one poxy site...? Just run the fraking thing in a VM.

    3. Charlie Clark Silver badge

      Re: IE10???

      Firefox uses NSS instead of OpenSSL. This just means different bugs, though I doubt that NSS's internals are quite as hair-brained as OpenSSL

      1. Z80
        Headmaster

        Re: IE10???

        harebrained

    4. Mark 85

      Re: IE10???

      FTR, it seems that all IE browers are vulnerable to this... goodbye IE...

  6. Anonymous Coward
    Anonymous Coward

    Don't hold your breath

    "Hopefully attacks like this may make him think...

    On evidence so far the minimum required to achieve a measurable amount of sustained, independent thought would be major surgery to add the relevant grey matter. To make the output usable though is probably beyond medical science.

  7. Panicnow

    JUST FIX THE SERVERS!

    This is a negotiation, if the servers will not except 512, then no harm done!

    1. Anonymous Coward
      Anonymous Coward

      Re: JUST FIX THE SERVERS!

      That's one way (and the easiest way) to solve it but if people want good security then they need to step up and ensure that it's happening at their end rather than just passing the buck.

    2. Anonymous Coward
      Anonymous Coward

      Re: JUST FIX THE SERVERS!

      Negotiation is a 2 way thing.

    3. Adam 1

      Re: JUST FIX THE SERVERS!

      Accept!

    4. phuzz Silver badge
      Stop

      Re: JUST FIX THE SERVERS!

      What the article doesn't mention, is that a lot of of the vulnerable servers belong to CDNs such as Akamai, who are rolling out fixes now, which should bring that 36% down quickly.

      (source)

  8. Bronek Kozicki
    Mushroom

    keyword: either

    One thing that hit me was this "... and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204"

    Basically, one of the decisions taken by OpenSSL developers was (and still is) "do not remove compatibility features", thus we can still see bits of code specifically for platforms such as VMS or Win16 - even though OpenSSL has not been tested on those for a very, very long time. It also implements full support for weak encryption such as RSA_EXPORT. Hilariously OpenSSL even implements certificate check to fail the connection if stronger encryption than 512bit was employed on RSA_EXPORT session (look for SSL_alert_type_string).

    Why do I point it out? Because vulnerability to degrade connection to insecure RSA_EXPORT would not happen, if OpenSSL did not keep such insecure implementation in the first place. But of course, it would go against philosophy of key developers. Which is why alternative libraries such as LibreSSL are so important.

    1. Daniel B.
      Boffin

      There is one use for EXPORT in OpenSSL though

      I use it all the time to check for exactly this kind of stuff:

      openssl s_client -connect www.my.site.with.ssl.com:443 -cipher EXPORT

      I've been checking for both this and TDES usage since 2011. I've also made a point of disabling EXPORT, RC4 and TDES ciphers on whatever service I'm configuring from scratch. This is something that everyone should know about, but seems to be noticed only when someone discloses it.

      I'd leave EXPORT support on OpenSSL for testing purposes only, but remove it from the "can downgrade to this cipher" list.

      The fun fact about this is that it's the US Government's fault, and maybe the NSA's fault as well. The 90s had a lot of criticism on the ban on strong crypto export, and we all knew that was going to come back to bite 'em down the road.

      1. Bronek Kozicki

        Re: There is one use for EXPORT in OpenSSL though

        hah good point - cannot check whether "hack my users, please" is disabled, without a tool to actually request this protocol.

    2. Michael Wojcik Silver badge

      Re: keyword: either

      It's trivial to exclude the EXPORT suites in the cipher-suite list when using OpenSSL in an application, and trivial to build OpenSSL without support for them.

      While OpenSSL shouldn't be vulnerable to MITM downgrade attacks like CVE-2015-0204 (in which the client accepts the short temporary key even though it didn't include an EXPORT cipher suite in its ClientHello), there's little excuse for public servers that accept EXPORT suites by default today. That's either bad programming or bad administration.

      Certainly there's a strong argument to be made that OpenSSL shouldn't include the EXP ciphers in its DEFAULT list; but developers using OpenSSL should at least understand how to set the cipher-suite list and set it to at least "DEFAULT:!EXP" by default. (Note that the OpenSSL developers have announced plans to remove various suites from DEFAULT in the next year or so, to some controversy.)

      OpenSSL, out of the box, is not suitable for use by developers and administrators who don't want to be bothered learning anything about SSL/TLS. Those people shoud purchase a commercial solution and pay someone to walk them through it, or use some higher-level package that takes care of the gritty details. Blaming OpenSSL because people can't be bothered to learn how to use the tools they pick up is unfair.

      1. Daniel B.
        Boffin

        Re: keyword: either

        OpenSSL, out of the box, is not suitable for use by developers and administrators who don't want to be bothered learning anything about SSL/TLS.

        Pretty much any crypto API is not suitable for use by anyone who hasn't at least read something about SSL/TLS. I'm really surprised about the amount of devs, webmasters and sysadmins that had no idea about the existance of EXPORT ciphers at all. This is something they should know because a lot of them actually worked with the "international browser" versions from the late 90's which had the stupid 40-bit restriction hobbling SSL.

        There's also a very high amount of developers who use self-signed certs in production enviroments. Another good bunch that outright disable SSL certificate validation to get their stuff to work, basically opening up their security infrastructure to MITM attacks within the organizational network. You've probably noticed that this sounds a lot like how SuperFish does SSL ... well, this is why those devs thought it was normal. They're used to doing this.

        Oh well, at least some security-related products will have some kind of FIPS mode available. It's probably worth flipping that switch on as it will disable all EXPORT and LOW ciphers by default, including 3DES which is probably bound to be cracked in the near future.

      2. Avalanche

        Re: keyword: either

        You are missing the point: older versions OpenSSL will happily accept the export RSA when it didn't ask for it.

  9. Crisp

    "pushing hard for a backdoor"

    Sounds more kinky than sinister.

  10. Anonymous Coward
    Anonymous Coward

    An our PM says that we should be using less encryption to allow for more snooping. Pillock.

  11. Blacklight

    Nexus 5 / Android 5.0.1 / Chrome 40.0.2214.109 - oops

    Mine comes up with a nice fat "Warning! Your client is vulnerable to CVE-2015-0204".

    1. DryBones

      Re: Nexus 5 / Android 5.0.1 / Chrome 40.0.2214.109 - oops

      Same. I'm expecting a new version of Chrome in the next couple days.

      1. GregC

        Re: Nexus 5 / Android 5.0.1 / Chrome 40.0.2214.109 - oops

        Yep, same here :(

        Firefox on the same phone seems to be ok.

  12. Alan Denman

    Uncle Sam at it again

    ...and even before China was selling IT.

    So how to blame this one on China ?

    1. Anonymous Coward
      Joke

      Re: Uncle Sam at it again

      The US didn't want China to have it, so it IS the Chinese that were the cause.

  13. Electric Panda

    iOS 8.1.3

    I can confirm iOS 8.1.3 is also vulnerable. No doubt a fix will magically appear in fairly short order.

  14. Anonymous Coward
    Anonymous Coward

    And relax ....

    Just checked those of my servers that carry anything worth bothering about, and lo - the default Apache config on them doesn't include the low strength options. Thanks Debian :-)

  15. Caspy7

    Workaround

    This article didn't mention it explicitly, but Firefox does not have this vulnerability, so if you're on an unpatched Android/Chrome/Mac you can use Firefox and not be at risk of this attack.

  16. Anonymous Coward
    Anonymous Coward

    Unsafe at any speed

    Basically this tells us that both Apple and Google phones are unsafe by design, at least if unsafe is minimally defined as failing to provide reliable protection by enforcing current encryption standards. At the very least their devices could provide a software switch to require higher encryption than we had in the 90's. As others point out, yes, this is a server side problem. But there are lots of other server side problems we expect clients to deal with effectively.

    What really needs to happen is for both Apple and Google to switch over to LibreSSL and NSS, supporting both on their devices and letting the user decide which to implement. Of course there are two problems with that: (a) Google has no way to update most of the devices sold under the Android name, even if they were so inclined, having traded market share for a hands-off approach to maintenance; and (b) Apple has resisted allowing competing standards on its phones (e.g. it will not allow NSS-enabled Mozilla branded Firefox or Google's own webKit, v8 or other features to be implemented on its platform).

    The bottom line is that none of these devices as currently shipped are safe, and they should be used with great caution. Most of us below the exec level don't have to worry about proprietary company info being compromised, but our own personal banking and health care transactions are another thing. You really shouldn't do your banking or log on to your health care account via a mobile. Ever. Same is true for anything involving a credit card, like ordering merchandise from Amazon or streaming video from Netflix. Go to a more secure, and updated, computer for that. If you have credit cards linked to your phone account, or apps from 3rd parties that are, remove them (sorry, yes that means no more paid apps). This won't entirely eliminate the possibility of someone using your phone to steal your identity or your money, but it will reduce it dramatically.

    Maybe if enough people did this the economics of lax security on phones would shift and give mobile manufacturers the incentive to do something about the problem. Until then at least you can save yourself, albeit at the cost of some inconvenience.

  17. Badvok
    Flame

    WTF?

    Amazing how many commentards log into a web site that says "you're vulnerable" and believe it.

    This article refers to report that conflates two very different but slightly related vulnerabilities that most here would appear not to have a clue about.

    Yes, some browsers are susceptible to CVE-2015-0204, but that flaw actually just means that if you're connecting to a server that decides to degrade the temporary key to export grade then you will not know about it. This is a server problem and is not possible with a man-in-the-middle attack unless your browser's root keys are also compromised. The only issue with the browser is that it continues without telling you.

    However, browsers still supporting export grade keys when negotiating security is a big problem and it would be nice to have some idea of how big. Unfortunately dumb sites that conflate the two problems are worse than useless.

    1. Anonymous Coward
      Anonymous Coward

      Re: WTF?

      Well you're quite the know-it-all, aren't you?

    2. Daniel B.
      Boffin

      Re: WTF?

      I wouldn't see this as a minor flaw as long as the browsers support it. Yes, if the server doesn't accept EXPORT keys, it's a non-issue. But at the time of writing, 2 out of 4 banks I've tested are vulnerable to this. As long as these sites remain unpatched, this vuln will remain serious.

    3. Adam 1

      Re: WTF?

      I think the thing you miss is that for chrome and safari at least, they accept the fallback even if it wasn't initially offered. That is the client side issue.

      1. Adam Inistrator

        Re: WTF?

        "I think the thing you miss is that for chrome and safari at least, they accept the fallback even if it wasn't initially offered. That is the client side issue."

        AHHHHH! thank you! ... security bods minds work in devious ways that normal brains cannot imagine

  18. (AMPC) Anonymous and mostly paranoid coward
    Meh

    Two out of three ain't bad and why paranoia pays

    Don't browse much from my Android smartphone but here's what I discovered:

    Standard KitKat Android browser: FreakAttack FAIL!

    Chrome Android browser: FreakAttack FAIL!

    Opera Mini, FreakAttack, you can't get me

    On the Windows 8.1 laptop:

    Chrome FreakAttack, you can't get me,

    FF FreakAttack, you can't get me

    IE 11 Enhanced Security Configuration, can't tell, can't see site warning banner

    IE 11 no Enhanced Security Configuration, dunno, ESC is set by group policy. Can't be bothered to remove it to see, but will give IE 11 the benefit of the doubt.

    In any case, I won't use IE again until it actually works as a browser. Still waiting for Spartan, which may or may not disappoint.

    I do not and will not perform credit card transactions from my mobe ever.

    It's scary enough using it at the local Super Market.

    So keep panicking, and carry on.

  19. Jamesit

    BlackBerry OS 10.3.1.1581 is vulnerable.

    1. Daniel B.
      Boffin

      Same here

      BlackBerry OS 6.0.0.534 invulnerable as well.

      I would test it on OS 7.1.x but my 9790's logic board died 2 weeks ago.

  20. UFOtofu
    FAIL

    Oh, the irony ...

    Follow the link to freakattack.com and you will learn that the report on FREAK is maintained by a team which can be contacted via zmap-team@umich.edu.

    Later in the report there is a list of the "websites in the Alexa Top 10K [that] support RSA Export Suites". In that list is Alexa site #1662 which is ... yep, umich.edu.

  21. Adam Inistrator

    why blame the client and not the server?

    if the server will accept low sec connnection then isnt it as much to blame?

    edit: no as another comment explained ... approx "the client accepts low sec even if it wasnt originally offered"

  22. Tom 13

    Obligatory youtube post

    https://www.youtube.com/watch?v=EVZh4WcdC3s

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like