Latest in Cyber Vulnerability – The FREAK Attack

March 10, 2015 / Network and Security

It seems that the predictions made by tech journalists after a serious of attacks in 2014, are coming for real. According to them, the situation in 2015 would be worse viewing to the more advanced techniques been used to penetrate networks. This time it’s ‘the FREAK attack’.

After DDoS that lead to Internet slowdown globally, enterprises are under constant strain. Therefore, it becomes important for us to know about FREAK and adopt ways to safeguarding ourselves.

FREAK (Factoring RSA-Export Keys), the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) hole present in programs using Apple’s SSL implementation or old Open SSL as well as in Microsoft’s Secure Channel (SChannel) stack.

Though termed as an attack, it is actually a security flaw that came into light on March 3, 2015. Hackers can exploit the vulnerability to weaken the encryption used between clients and servers when the user logs on via HTTP connections. The computers operating on Windows OS fall into this category.

The flaw is the result of a former U.S. government policy that banned the export of strong encryption and required that weaker ‘export-grade’ products to be shipped to the customers in other countries, according to the researchers who discovered the FREAK attack.

The export-grade encryption had 512-bits that is the maximum limit permitted under U.S. restrictions in order to limit the trade in military technologies in 1990s. This era was called as “The Crypto Wars” as there were pitched political battles over deploying cryptographic algorithms that even enhanced government computers couldn’t crack.

Microsoft released security advisory that includes a workaround for some Windows systems but it requires access to the Group Policy Editor that can be found only on Professional, Ultimate and Enterprise version of Windows.

The process to safeguard yourself is as follows –

  • Step 1 : Tap onto the Windows-key
  • Step 2 : Type gpedit.msc and Hit Enter.
  • Step 3 : To navigate to Local Computer Policy use the left sidebar > Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
  • Step 4 : Double-click on SSL Cipher Suite Order.
  • Step 5 : Check on the Enabled icon.
  • Step 6 : Copy the Cipher suite order from Microsoft’s advisory page to the clipboard and paste it into the SSL Cipher Suites form.
  • Step 7 : Click OK and restart the PC.

This will protect the Internet Explorer from exposure. Windows will be unable to connect to systems that use a Cipher not supported in the list that you have added in the Group Policy Editor.

In order to undo the change later on simply check on the Disabled tab.

To avoid your Windows system getting affected use the browser other than Internet Explorer for meantime or apply the above mentioned settings.

In addition, according to the miTLS team that discovered the FREAK security hole at first, the following SSL/TLS client libraries are vulnerable –

  • OpenSSL (CVE-2015-0204): versions before 1.0.1k.
  • BoringSSL: versions before November 10, 2014.
  • LibReSSL: versions prior to 2.1.2.
  • Secure Transport: is vulnerable. A fix is being tested.
  • SChannel: is vulnerable. A fix is being tested.

Web browsers using these TLS libraries other than Internet Explorer that are vulnerable to the attack include –

  • Safari is vulnerable. Wait for a patch, switch to Firefox or Chrome 41.
  • Chrome versions before 41 on different platforms are vulnerable.
  • Android Browser is vulnerable
  • Blackberry Browser is vulnerable. Wait for a patch.
  • Opera on Mac and Android is vulnerable. Update to Opera 28 (when stable), switch to Chrome 41.

According to Ars Technica, recently, scaning 14 million websites, supporting the secure sockets layer or transport layer security protocols, more than 36 percent of websites were found to be vulnerable to the decryption attacks. The results also displayed that the exploit takes around seven hours to carry out and costs around $100 per suite.

Researches have claimed that they could force the browsers to utilize the weaker encryption and crack it within the course of just few hours. Once cracked, hackers could get a chance to steal the significant data and passwords and potentially launch a broader attack on the websites by using the elements on page, like the Facebook ‘Like’ button.

To prevent the Freak attack on the Mac systems, Google has already patched the version of Chrome and Firefox is supposed to be safe on all platforms. The patches for formal iOS and OS X are still being developed; there isn’t any timeline update from Apple for their release till now.

For the end-users, the safest method is to use the newest version of Chrome or Firefox. There would be fixes developed for other browsers too. So, don’t panic just be patient until the fixes are available.

If you are looking to secure your website with SSL, take a look at our SSL Certificate page.

Spread the love

Leave a Reply