Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Freak Attack - Surprised? No. Worried? A little.

Published: 2015-03-04
Last Updated: 2015-03-04 04:06:34 UTC
by Mark Hofman (Version: 1)
1 comment(s)

There has been some press surrounding the SSL issue published recently dubbed Freak.  It was reported in the Washington post1 and other sites, but what does it really mean?

The issue relates to the use of Export Ciphers (the crypto equivalent of keeping the good biscuit yourself and giving the smaller broken one to your little brother or sister).  The Export Ciphers were used as the "allowed" ciphers for non US use.  The ciphers are part of OpenSSL and the researchers2 have identified a method of forcing the exchange between a client and server to use these weak ciphers, even if the cipher suite is not "officially" supported3.  

On first reading, like many, I thought so what, especially since you have to do a man-in-the-middle (MITM attack.  When you do a MITM attack you have full control over the connection anyway, so why bother decrypting anything? However, if I'm reading and interpreting the examples correctly (kind of hoping I'm wrong), it looks like this particular attack solves one challenge that a MITM has. For HTTPS intercept you usually generate a new certificate with the information of the site and resign the certificate before presenting it to the client. Whenever you present this newly signed certificate  the client receives an error message stating that the certificate does not match the expected certificate for the site.  From the vids2 it looks like this attack could "fix" that particular problem.  So now when you perform a MITM attack you retain the original certificate and the user is none the wiser.  This could open up a whole new avenue of attacks against clients and potentially simplify something that was quite difficult to do. 

What is the impact to organisations? Well it is quite possible that your sites will be impersonated and there won't be much that can be done about it and you may not even know that your customers are being attacked.  To prevent your site from being used in this attack you'll need to patch openSLL4 (yes again).  This issue will remain until systems have been patched and updated, not just servers, but also client software.  Client software should be updated soon (hopefully), but there will no doubt be devices that will be vulnerable to this attack for years to come (looking at you Android).

Matthew Green in his blog3 describes the attack well and he raises a very valid point. Backdoors will always come back to bite. 

The researchers have set up a site with more info5. 

Cheers

Mark H  - Shearwater

(Thanks Ugo for bringing it to our attention).

Links:

1 - http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/
2 - https://www.smacktls.com/#freak
3 - http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html
4 - https://www.openssl.org/news/secadv_20150108.txt
5 - https://freakattack.com/

Keywords:
1 comment(s)
ISC StormCast for Wednesday, March 4th 2015 http://isc.sans.edu/podcastdetail.html?id=4381

If you have more information or corrections regarding our diary, please share.

Recent Diaries

An Example of Evolving Obfuscation
15 hours ago by Brad Duncan (3 comments)

Advisory: Seagate NAS Remote Code Execution
2 days ago by Rick (1 comment)

Let's Encrypt!
4 days ago by Rick (5 comments)

DDOS are way down? Why?
4 days ago by Rick (2 comments)

New Feature: Subnet Report
5 days ago by Dr. J. (1 comment)

Samba vulnerability - Remote Code Execution - (CVE-2015-0240)
6 days ago by Chris (0 comments)

Copy.com Used to Distribute Crypto Ransomware
1 week ago by Dr. J. (3 comments)

How Do You Control the Internet of Things Inside Your Network?
4 decades ago by Dr. J. (1 comment)

View All Diaries →

Latest Discussions

Google's security-focused Android and Chrome for Work
created 5 days ago by Anonymous (0 replies)

How do I fix website security certificate errors?
created 1 week ago by Alvirajohn (0 replies)

Please help with securing my website
created 3 weeks ago by Anonymous (0 replies)

Please help with securing my website
created 3 weeks ago by Anonymous (3 replies)

your EMET 5.1 experience?
created 1 month ago by Mallory Bobalice (4 replies)

View All Forums →

Latest News

View All News →