back to article FREAKing hell: ALL Windows versions vulnerable to SSL snoop

Microsoft has confirmed that its implementation of SSL/TLS in all versions of Windows is vulnerable to the FREAK encryption-downgrade attack. This means if you're using the company's Windows operating system, an attacker on your network can potentially force Internet Explorer and other software using the Windows Secure Channel …

  1. Rampant Spaniel

    So what does the A stand for?

    1. Bob Vistakin
      Facepalm

      So quality browsers are ok - it's just IE that's affected?

      1. A Non e-mouse Silver badge
        Headmaster

        @Bob Vistakin

        So quality browsers are ok - it's just IE that's affected?

        RTFA

        Google Chrome for OS X prior to version 41.0.2272.76 and BlackBerry OS 10.3 are known to be vulnerable

        1. Dan 55 Silver badge
          Trollface

          Re: @Bob Vistakin

          Still not seeing any quality browsers there.

          1. oddie

            Re: @Bob Vistakin

            Current list of browsers affected, for those who don't like to read sources :)

            Internet Explorer Security advisory

            Chrome on Mac OS Patch available now

            Chrome on Android

            Safari on Mac OS Patch expected next week

            Safari on iOS Patch expected next week

            Stock Android Browser

            Blackberry Browser

            Opera on Mac OS

            Opera on Linux

            up to date as per 2015-03-05

      2. Stuart 22

        Bork IE<9

        Can we find something that will do this?

        I'm prevented from using SSL on websites as these browsers don't support SNI and we don't have enough IPs. That is threat to everybody else's security. You can't degrade what you haven't implemented because of these retards.

        1. big_D Silver badge

          Re: Bork IE<9

          What exactly is the degridation of security here? I skimmed the articles, but didn't find anything definitive.

          My IE is set to only use TLS 1.1 and TLS 1.2, TLS 1,0 and SSL 2.0 are disabled. It also forces a check of the certificates.

          The Freakattack site says that it is still vulnerable, is that because it just checks for IE 11, or because even with these settings (AFAIK TLS 1.1 is still secure) IE 11 is vulnerable and can be forced to use a weaker protocol?

          Aha, seems if they can force RSA mode, they can bypass the generating of new session keys and some messages are skipped, even though they theoretically can't be skipped (www,smacktls.com).

          The good news is, I generally use Firefox for anything secure.

          1. Daniel B.
            Boffin

            Re: Bork IE<9

            The Freakattack site says that it is still vulnerable, is that because it just checks for IE 11, or because even with these settings (AFAIK TLS 1.1 is still secure) IE 11 is vulnerable and can be forced to use a weaker protocol?

            Yes, unfortunately TLS 1.x doesn't mean that EXPORT ciphers are disabled at all. I've tested a couple of sites, and TLS still can negotiate EXP-RC4-MD5, which makes cryptographers' eyes bleed. The problem is that EXPORT should have been removed from the default set of ciphers at least a decade ago.

  2. Anonymous Coward
    Anonymous Coward

    Well, yeh really. Also notice that the EA should actually be AE ("FRAEK"), assuming the A is for "against". Whatever, it's J.A.A.S. (Just A Shitty Acronym)

    BTW, why is Firefox the only major browser not affected?

    1. a_yank_lurker

      Other Browsers

      I just tested the latest versions of Chromium, Chrome, Firefox, and Opera on Arch Linux. They all passed.

    2. david 12 Silver badge

      >BTW, why is Firefox the only major browser not affected?

      Since "version 33", Firefox has had no support for 512bit keys. This makes FF unsuitable for a small number of specialised web sites, particularly from embedded devices, but also (and this is the reason it was done) makes it impossible to connect to anything using a 512 bit key.

      1. streaky

        Re: >BTW, why is Firefox the only major browser not affected?

        This makes FF unsuitable for a small number of specialised web sites

        There's no *reasonably* modern crypto stack (written within like the last 15 years) that requires that these cipher suites are used. Servers don't need to support them, the end. No ifs, no buts as DC would say.

      2. Dan 55 Silver badge

        Re: >BTW, why is Firefox the only major browser not affected?

        I can see why they did it, but they could have kept up to 1023-bit keys for the LAN. They were warned about this in the bug on Bugzilla as well. It makes connecting to my router a pain, I have to use another browser.

  3. Chozo
    FAIL

    Talk about being borked sideways by Bubba, Micro$oft really should get a wiggle on rebuilding the entire OS from the ground up.

    1. BongoJoe

      Talk about being borked sideways by Bubba, Micro$oft really should get a wiggle on rebuilding the entire OS from the ground up.

      But according to Redmond, they do..

      ...by clearly using the same code.

    2. returnmyjedi

      Safari and Chrome are affected on OSX so I guess things must be a bit rotten in Fruityworld also.

    3. h4rm0ny
      Paris Hilton

      >>"Micro$oft really should get a wiggle on rebuilding the entire OS from the ground up."

      Would love to see you on a software project:

      Project Lead: "We've found that one of the old protocols we support just isn't safe these days, we need to disable it."

      Chozo: "Re-write the OS!"

      1. Anonymous Coward
        Anonymous Coward

        @ h4rm0ny

        We'll NT soft of was until they threw all the crap back in again after ME. I'd love to see MS write a new OS from the ground up, I think it's about time.

    4. Anonymous Coward
      Anonymous Coward

      already in the plan

      that is what Windows 11 is reserved for.

    5. Anonymous Coward
      Anonymous Coward

      "Micro$oft really should get a wiggle on rebuilding the entire OS from the ground up."

      Absolutely - it's high time they cleaned out all the legacy code they licensed from UNIX that keeps having these holes in...

      1. Anonymous Coward
        Anonymous Coward

        Absolutely - it's high time they cleaned out all the legacy code they licensed from UNIX that keeps having these holes in...

        So you'll be doing away with the convenience of directories ("folders" for you post-Win95 folk)?

        You'll be doing away with the BSD-inspired TCP/IP stack?

        In fact, bring it on. Getting rid of TCP/IP in Windows will mean no more Windows on the Internet and probably a vast reduction in the amount of crap we non-Windows have had to endure ever since you folk got here!

        And don't get me started on supposed rewrites, if I had a dollar for every time ${WINDOWS_RELEASE} was a ground-up rewrite I'd be able to buy Microsoft several times over by now.

        1. Anonymous Coward
          Anonymous Coward

          "In fact, bring it on. Getting rid of TCP/IP in Windows will mean no more Windows on the Internet"

          I think the suggestion was to replace all the crappy code from UNIX in Windows with something more modern and secure. Not just to remove it....

    6. Michael Wojcik Silver badge

      rebuilding the entire OS from the ground up

      Yes, because that wouldn't introduce any new vulnerabilities.

      1. Anonymous Coward
        Anonymous Coward

        @ Michael Wojcik

        Let's not write any new code then and just retire. :/

  4. Michael B.

    A different Freak?

    Is this a similar but different attack to the one earlier this week or the same one? I only ask as I tested all my browsers, including IE, against FREAK earlier in the week and they passed.

    1. enerider

      Re: A different Freak?

      try https://cve.freakattack.com

      If it loads without error - you're vulnerable.

      1. D@v3

        Re: A different Freak?

        would appear that Safari on iOS 8.1.3 is vulnerable

      2. mark jacobs
        Megaphone

        Re: A different Freak?

        Opera 27.0.1689.76 is NOT vulnerable under Windows 8.1 64-bit Pro.

        IE11 IS vulnerable under Windows 8.1 64-bit Pro.

        ** WARNING **, it is still not safe to do your banking using IE, unless you are banking with one of the very few banks that have enforced the more modern ciphers on their servers.

      3. Mage Silver badge
        Happy

        Re: A different Freak?

        "An error occurred during a connection to cve.freakattack.com. SSL received an unexpected Server Key Exchange handshake message. (Error code: ssl_error_rx_unexpected_server_key_exch) "

        Firefox on er er er ...

        13 years old Windows ... last re-installed June 2002.

    2. diodesign (Written by Reg staff) Silver badge

      Re: A different Freak?

      Internet Explorer in the Windows 10 Preview and Windows 8.1 was/is flagged up as vulnerable on freakattack.com. It is the same problem. Microsoft warns:

      "Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system. The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems."

      C.

      1. GitMeMyShootinIrons

        Re: A different Freak?

        "Internet Explorer in the Windows 10 Preview and Windows 8.1 was/is flagged up as vulnerable on freakattack.com. It is the same problem."

        Any mention of the new Spartan browser being vulnerable?

    3. Michael B.

      Re: A different Freak?

      Thanks for that. The website freakattack.com now says "(An earlier version of our test gave incorrect results for IE; IE is indeed vulnerable.)" Which goes to explain why I thought IE was not vulnerable earlier in the week.

      On a different note it seems that with the updated website Windows Phone is now being marked as vulnerable.

      1. cambsukguy

        Re: A different Freak?

        I just went to the web site and it aid "Whoops, your browser might be incompatible with our test..."

        Which is weird because IE 11 ought to be testable really.

        So I went to the link which said "If this page loads successfully, you are vulnerable" (cve).

        It didn't, I presume that I am not then.

        Also, my (Denim) Windows Phone did the same thing exactly.

        Have they patched it already? magically? or is the cve test site less than useful?

        1. Anonymous Coward
          Anonymous Coward

          Re: A different Freak?

          I agree, Denim on Winphone just does nothing.

  5. Howard Hanek

    Windows

    Medically I would equate the Windows Operating system to patient suffering the symptoms of advanced syphilis such as severe neurological damage, dementia and running sores. Should we just make out living wills and expect that the wealth of developed nations will suddenly enrich a new criminal class?

    1. serendipity

      Re: Windows

      Howard you are obviously a being with mighty knowledge. You have convinced me that I need to move off Windows. Oh great one, can you recommend an OS that has no security vulnerabilities? I guess that will be the one you use. So please speaketh its name so that we can all come into the light and hail this mighty OS ;-)

      1. Anonymous Coward
        Anonymous Coward

        "can you recommend an OS that has no security vulnerabilities?"

        Epoc. My Psion 3a never got hacked.

        1. Brewster's Angle Grinder Silver badge

          Re: "can you recommend an OS that has no security vulnerabilities?"

          My spectrum is the same. And it's so light and small that I've bolted it to the side of my glasses for the complete "speccy" look.

        2. cambsukguy

          Re: "can you recommend an OS that has no security vulnerabilities?"

          Security through obscurity indeed.

          I seemed to recall my N900 wasn't (noticeably) hacked while it spent time as a server either.

          These suckers using server OSs, morons.

        3. Anonymous Coward
          Anonymous Coward

          Re: "can you recommend an OS that has no security vulnerabilities?"

          "can you recommend an OS that has no security vulnerabilities?"

          Windows Phone 8 and 8.1

          Not counting this vulnerability of course...

      2. Preston Munchensonton
        Coat

        Re: Windows

        "So please speaketh its name so that we can all come into the light and hail this mighty OS ;-)"

        CP/M

  6. muttley
    Trollface

    How long has this been going on?

    @ Rampant Spaniel:

    Ace.

  7. Anonymous Coward
    Anonymous Coward

    Just add a bit of perspective here, the M$, Micro$oft haters might like to cast their reptilian eyes overs this story;

    http://www.zdnet.com/article/mac-os-x-is-the-most-vulnerable-os-claims-security-firm/

    Food for thought, n'est ce pas?

    1. ThomH

      This article is about a security issue affecting web browsers. The linked article contains the text "When it comes to applications, it is little wonder that web browsers topped the list, with Microsoft's Internet Explorer up at the top with a total of 242 reported vulnerabilities".

      I would therefore not recommend it for the purpose advocated.

      1. Anonymous Coward
        Anonymous Coward

        "Microsoft's Internet Explorer up at the top with a total of 242 reported vulnerabilities"."

        They are multi counting the same vulnerabilities across different IE versions, but not doing so with Chrome. In terms of unique vulnerabilities, Chrome has had ~ twice as many as IE in the last year.

    2. werdsmith Silver badge

      "Just add a bit of perspective here, the M$, Micro$oft haters might like to cast their reptilian eyes overs this story;"

      Story can be disregarded. Jupiter was not correctly aligned with Saturn and there was no Z in the name of the month when it was written. Therefore it is discredited.

    3. Doctor Syntax Silver badge

      "http://www.zdnet.com/article/mac-os-x-is-the-most-vulnerable-os-claims-security-firm/"

      I think we did that one a week or two ago.

  8. Unicornpiss
    Meh

    FF v30 not vulnerable...

    Just tested on my (needs to be upgraded) Mint Linux 16 box...

    I'll bet Lynx isn't vulnerable...

  9. Nameless Dread
    Mushroom

    OMG!

    ZTE Skate (Android 2.3.5) browser is vulnerable !!

    Good job i don't use it for calls, texts, email, banking, purchasing ... anything much, really,

    .... apart from el Reg via Opera (which seems secure on this mobe, BTW)

    So that's OK then ?

  10. TaabuTheCat

    IISCrypto to the rescue

    IISCrypto (https://www.nartac.com/Products/IISCrypto/) is your friend. Makes seeing, changing, reordering and disabling cipher suites in Windows a breeze. No affiliation - just a happy user. And it's free!

  11. This post has been deleted by its author

  12. Anonymous Coward
    Anonymous Coward

    Am I right in thinking that this flaw exists just on websites hosted on Windows?

    1. Michael Wojcik Silver badge

      6 downvotes and no reply? That's a bit harsh for what seems like a valid question.

      No. First, it's not an attack on "websites" at all (unlike, say, XSS vulnerabilities, or web-based SQL injection, etc). FREAK is an attack on SSL/TLS implementations. Probably most SSL/TLS traffic is HTTP (certainly most of what typical users see is), but it's not exclusive to websites.

      FREAK involves convincing the client and server to select a weak asymmetric key during negotiation. It makes use of the old "export-grade" suites, which were mandated by the US government until it finally caved under pressure from business interests.

      The OpenSSL version of FREAK - the first one that was reported - works something like this:

      - Client: Hey, I can use any of these cipher suites, including some RSA ones. (Whether the client says it can use the export suites is irrelevant in this case.)

      - Attacker intercepts this message and changes it to "Hey, I can only use the RSA export suites, so give me a short RSA key".

      - Server: OK, here's your crummy RSA key.

      - Client: Sure, I'll use that, even if I was expecting a decently strong RSA key.

      - Client and server then generate a strong session key, but it's exchanged under the weak RSA key, so the attacker can break that and extract the session key.

      We don't seem to have public details on the SChannel version of the attack, but it may affect both client- and server-side SChannel. Or it may only affect the server side, in which case this variant of FREAK is only an issue for Windows-hosted services (whether those are websites or whatever). But the OpenSSL version would still potentially be a problem for servers running on other OSes.

      There's also the recently-announced Skip-TLS attack, which involves broken implementations of the TLS state machine. That one produced a fairly minor vulnerability in OpenSSL (servers that authenticate clients using certificates and allow a certain rare type of certificate could be vulnerable to client impersonation). Unfortunately, it completely breaks the JSSE implementation of TLS. All versions of Java have been vulnerable to it for years. Oracle fixed it with a critical update (for Java 5 through 8) in January.

      Other implementations are apparently vulnerable to Skip-TLS. Per the linked document, CyaSSL fixed it a while back and "other disclosures are pending". More TLS fun to come!

      1. Doctor Syntax Silver badge

        "Server: OK, here's your crummy RSA key."

        And that's a server side problem. Correct answer is:

        Server: No.

        1. Charles 9

          So the correct answer is, "Turn away a customer?"

  13. Anonymous Coward
    Anonymous Coward

    SOS, DD

    What did you really expect from Microsucks?

  14. Stevie

    Bah!

    Crikey! All my saved Minesweeper and Freecell games are belong to Them.

  15. Anonymous Coward
    Anonymous Coward

    It's still a mitm attack...

  16. Alan Denman

    I can't help but think that these flaws got leaked since the US ...

    ...accused China of what US does standard clandestine like.

  17. crayon

    "** WARNING **, it is still not safe to do your banking using IE, unless you are banking with one of the very few banks that have enforced the more modern ciphers on their servers."

    One of the forking banks that I use "silently" fail to login if I don't set the user-agent on my browser to some variant of IE.

  18. Jim E
    Mushroom

    Hahaha! Links on Linux Mint (Debian Cinnamon version) fails. Quick, rewrite Debian!

  19. Anonymous Coward
    Anonymous Coward

    Irony

    It's interesting to note that if you apply the workaround on the linked TechNet page, that you will no longer be able to access that page as the server only supports 5 of the TLS_RSA_WITH* algorithms that it has you disable.

    Also doesn't support TLS 1.1 or 1.2, but does support SSL 3.0.

    1. undefined

      Re: Irony

      If you apply their workaround, you will no longer be able to access your Verizon email account. This is starting to look like it's going to be a PITA.

  20. mfraz

    Rekonq

    Just did a few tests on the browsers installed on my computer running Kubuntu 14,10 and Chrome & Firefox both pass, but Konqueror & Rekonq both fail the test

    "Warning! Your browser offers RSA_EXPORT cipher suites. It can be tricked into using weak encryption if you visit a vulnerable website. We encourage you to update your browser right away."

    Doubt I've got much chance of them being upgraded.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like