In-depth

Don't FREAK out over the Factoring Attack on RSA-EXPORT Keys

security key on keyboard

OPINION: It's about time we got things, by which I mean security vulnerabilities, into freakin' perspective. Currently the IT security industry and the media covering it are, in my opinion, in danger of becoming the internet equivalent of Chicken Little.

Every time a vulnerability is discovered which has the potential to impact upon large numbers of users we get the same 'the sky is falling' message writ large. Yet potential and probability are not automatic bedfellows, which appears to have passed many headline and press release writers by. The latest falling acorn to be mistaken for a piece of the internet sky is FREAK, or Factoring Attack on RSA-EXPORT Keys to be a little more formal about things.

What is FREAK?

What is FREAK, other than over-hyped that is? The simple answer is that it's a leftover weakness from political meddling by the US when Secure Sockets Layer (SSL) connection encryption was introduced. That meddling back in the early 1990's came in the form of export controls for encryption systems which enabled the US to use stronger encryption keys while international users had to make do with weaker ones.

In the case of SSL this originally meant Netscape deploying 40-bit cryptography for the international export grade versions, with the US keeping the de-facto stronger 128-bit version for themselves. This was supposedly to enable the NSA to be able to access communications, as only state sponsored outfits would have the required computing resources.

Things have changed since then, both in terms of scrapping that encryption export limit and supercomputer processing resources (via the cloud for example) being available to pretty much anyone who wants them. Unfortunately one thing hasn't changed, and that's the vulnerability discovered which means that some servers will accept RSA export-grade keys even when the client didn't ask for them.

It's actually exploiting a negotiation mode between servers and browsers that enables the server to downgrade the encryption requirement until the browser client can connect to it. Because the legacy export grade encryption is weaker, and computing resources are more powerful, the potential for decryption of SSL keys within hours using something powerful compute-wise exists. But does that potential, I ask again, equate to probability?

I'm with Phil Lieberman, CEO of Lieberman Software Corporation, here. "[FREAK is more of a] hypothetical threat to a limited collection of users and systems," he reckons, adding it's based on "a series of very unusual conditions." As Lieberman also points out, it's also an attack which requires sophisticated actors (most likely state sponsored) with tools and technologies not in common use.

"The attack is very difficult to set up and is in the realm of state-sponsored physical intrusion of your internet or Wi-Fi connection" Lieberman says.

"The mechanism described is a valid methodology, but it depends on physical compromise of your connection and a series of lucky coincidences, like you running the right browser and hitting the right websites." Whereas Heartbleed was a 'must patch' scenario for internet-facing sites, Lieberman insists - and I concur - FREAK is interesting, but shouldn't keep anybody awake at night. That is "unless their internet connection is tapped or are using Wi-Fi without encryption and authentication," he adds.

So, the sky is not falling, the world is not ending and all the Chicken Littles should calm down now.

There are a whole bunch of options (here's one) for checking if sites could be compromised, no matter how unlikely that may be in the real world, so use them and upgrade to something more modern and secure if needed. Ditto when it comes to browser clients (for example this one) and, if vulnerable, update the damn thing, or change to a client that isn't vulnerable.

Oh, and just for the record while you are doing the whole server security tweaking thing, why not also disable support for export cipher suites and enable forward secrecy. Now you know those little acorns make sense...

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Security best practices for PostgreSQL

Securing data with PostgreSQL

Download now

Transform your MSP business into a money-making machine

Benefits and challenges of a recurring revenue model

Download now

The care and feeding of cloud

How to support cloud infrastructure post-migration

Watch now

Recommended

How to encrypt files and folders in Windows 10
encryption

How to encrypt files and folders in Windows 10

9 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Evidence suggests REvil behind Harris Federation ransomware attack
ransomware

Evidence suggests REvil behind Harris Federation ransomware attack

9 Apr 2021
Fujitsu taps Trend Micro to secure private 5G networks in smart factories
5G

Fujitsu taps Trend Micro to secure private 5G networks in smart factories

8 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Data belonging to 500 million LinkedIn users found for sale on hacker marketplace
hacking

Data belonging to 500 million LinkedIn users found for sale on hacker marketplace

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021