What the FREAK? Huge SSL security flaw stems from US government backdoor
Seven hours is all it takes to crack the encryption that is in place on some supposedly secure websites. Security experts blame the US government's ban on the use of strong encryption back in the 1990s for a vulnerability that has just come to light. Named FREAK (Factoring attack on RSA-EXPORT Keys), the flaw exists on high-profile websites including, ironically, NSA.gov.
Restrictions that limited security to just 512-bit encryptions were lifted in the late 90s, but not before it was baked into software that is still in use today. The ban on the shipping of software with stronger encryption apparently backfired as it found its way back into the States. Security experts say the problem is serious, and the vulnerability is relatively easy to exploit.
Browsers can be hijacked and tricked into accessing websites using legacy encryption -- this was the discovery of researchers at Inria in France. There was disbelief that such old protection measures were still being used, but it soon became clear that hackers needed just a matter of hours to exploit the weak security to steal passwords and personal information, or even launch a full-scale attack on a website.
Talking to the Washington Post Matthew Green, a cryptographer at Johns Hopkins Information Security Institute, said that US government had effectively weakened its own security with the earlier ban on the exporting of strong encryption. "When we say this is going to make things weaker, we're saying this for a reason."
The vulnerability could be exploited on vulnerable sites, with encryption cracked in just seven hours. Worryingly, if test samples are correct, more than a quarter of websites that were previously thought to be secure are vulnerable to the problem. In a blog post, Green explains that the vulnerability affects OpenSSL (used by Android) and Apple TLS/SSL clients (used by Safari). He goes on to explain that "the SSL protocol itself was deliberately designed to be broken" and that a man-in-the-middle attack could be easily launched on sites:
The 512-bit export grade encryption was a compromise between dumb and dumber. In theory it was designed to ensure that the NSA would have the ability to 'access' communications, while allegedly providing crypto that was still 'good enough' for commercial use. Or if you prefer modern terms, think of it as the original "golden master key".
In effect, a backdoor put in place by the US government has left countless websites insecure. Green points out that the lengthy list of affected sites includes connect.facebook.net which is used to deliver Facebook's Like button to millions of websites. If this was hijacked, the consequences could be dire.
Patches will almost certainly be on the way, but the final word goes to Matthew Green who sums up the source of the problem quite succinctly:
Encryption backdoors will always turn around and bite you in the ass. They are never worth it.