It wasn’t that long ago, that the POODLE vulnerability swept across the world demonstrating that under the right circumstances, even encrypted connections to secure websites can be relatively easily cracked by hackers. Now, cryptographers at the French INRIA, Microsoft Research, and IMDEA have discovered a very serious vulnerability in OpenSSL and Apple TLS/SSL clients.
This attack, named FREAK (Factoring attack on RSA-EXPORT Keys) allows a malicious actor to downgrade the encryption of your connection from strong RSA to what’s called “export-grade’ RSA. This attack can be carried out on android stock browsers (not Chrome) and Apple’s Safari browsers and allows an attacker to execute a man-in-the-middle attack.
Naturally, you might be wondering what this export-grade RSA is. In the early 90’s, a policy by the U.S. government banned the export of strong encryption, requiring instead the use of a weaker, 512-bit encryption. The reasoning was that it will provide a reasonably strong encryption for commercial use, while the NSA would still retain access to the data because their super-computers would still be able to break the 512-bit encryption in a short length of time.
Times have changed since the 90’s however, and although the original SSL encryption was designed to be broken, we’ve come some time since then, yet the weak encryption from those days still remains within some browser designs and allows the clients to accept export-grade RSA keys even though the client browser never asked for them. According to a blog post on Cryptography Engineering, the steps of the attack are:
- In the client’s Hello message, it asks for a standard ‘RSA’ ciphersuite.
- The MITM attacker changes this message to ask for ‘export RSA’.
- The server responds with a 512-bit export RSA key, signed with its long-term key.
- The client accepts this weak key due to the OpenSSL/SecureTransport bug.
- The attacker factors the RSA modulus to recover the corresponding RSA decryption key.
- When the client encrypts the ‘pre-master secret’ to the server, the attacker can now decrypt it to recover the TLS ‘master secret’.
- From here on out, the attacker sees plaintext and can inject anything it wants.
This certainly spells bad news for many people out there. Just how many servers, however are vulnerable to this type of attack? A staggering 36.7% of all secure websites are vulnerable. This translates to about 14 million websites. Among these sites are even government sites, including FBI, NSA, IRS, White House, and many other high-profile sites. Since the NSA was pioneering the export-grade RSA keys usage, it is only natural to expect that their site will be the first vulnerable to this attack. A video of the attack on NSA’s site can be found here.
To break the export-grade 512-bit key was accomplished in about 7.5 hours by using Amazon’s Web Servers that cost $104 to rent. Apple and Google responded to the FREAK vulnerability claiming that a patch will be made available soon, although in the case of Android, it is the responsibility of phone manufacturers to roll out the updates.