Cryptographers have unearthed a security flaw in OpenSSL that exposes millions of internet users to Man in the middle attacks when accessing secured websites. The Security flaw initially introduced by US government in the 90’s is easy to exploit requiring only an internet connection and few man hours to spare.
A FREAK Security flaw in OpenSSL clients could be troubling Google and Apple in past few days. The vulnerability discovered by cryptographers at INRIA, Microsoft Research and IMDEA allows the downgrading of internet security protocols from a strong RSA to a weak Export grade RSA – exposing millions of internet users to man in the middle attacks when visiting encrypted websites e.g. Whitehouse.gov and FBI.gov.
The security flaw dates back in the 90’s when the US government required tech companies to deliberately weaken encryption in exports product in the wake of the crypto wars. Although the policy was later abolished, cryptographers recently discovered that hackers could still forces browsers to use weak Export-grade encryption which can be hacked in a matter of hours.
Export grade encryption is only limited to a maximum of 512bits which is considered unacceptably weak. “We thought of course people stopped using it,” says Karthikeyan Bhargavan, one of the researchers at INRIA computer lab. Initially, the policy was meant to limit the export of strong military grade technology in order to give US agencies an upper hand in cracking foreign communications.
Independent tests by Nadia Heninger, a cryptographer at University of Pennsylvania revealed that it would take hackers an average of seven hours to crack export grade encryption. Once cracked, the hackers would steal login credentials and read encrypted communications between the browsers and a secured websites.
While the policy may have made sense by then, deliberately weakening encryption is a disastrous move. It causes technical problems because servers have to find ways to support both strong and weak crypto. This exposes internet users to not only exploits from NSA but also from hackers, a sentiment echoed by many security Experts. “You cannot have a secure and an insecure mode at the same time,” says Christopher Soghoian, principal technologist at ACLU. “The flaws will ultimately impact all users.”
The precise number of vulnerable websites is not known, but computer science researchers at the university of Michigan, estimate that at least one third of all encrypted websites that supports TLS and its predecessor SSL internet security protocols are vulnerable to FREAK (Factoring Attack on RSA-Export Keys). This implies close to 5million out of the 14 million encrypted sites including government sites and financial services sites could be affected.
Security experts are yet to witness attacks in the wild exploiting the FREAK vulnerability, but Matthew D. Green, one of the cryptographers who unearthed FREAK has called on government agencies and affected organization to patch up as soon as humanly possible in order to mitigate against potential attacks.
Meanwhile, FBI.gov and Whitehouse.gov have already patched up their websites while NSA is reportedly working on its site. Apple on the other end has promised to release a security patch for both its Mac PCs and iPhones by early next week according to a statement by the company’s spokesman Trudy Miller.
Recently released versions of Google’s Chrome browser are not vulnerable to FREAK attacks. However, all preinstalled Chrome browsers in android devices are vulnerable. On Tuesday, Google said a security patch for its android browsers has already been dispatched to partners such as Samsung and others who operate on the android platform.
Top/Featured Image: By Freak lg . Licensed under CC BY 3.0 via Wikipedia