In-depth

Don't FREAK out over the Factoring Attack on RSA-EXPORT Keys

security key on keyboard

OPINION: It's about time we got things, by which I mean security vulnerabilities, into freakin' perspective. Currently the IT security industry and the media covering it are, in my opinion, in danger of becoming the internet equivalent of Chicken Little.

Every time a vulnerability is discovered which has the potential to impact upon large numbers of users we get the same 'the sky is falling' message writ large. Yet potential and probability are not automatic bedfellows, which appears to have passed many headline and press release writers by. The latest falling acorn to be mistaken for a piece of the internet sky is FREAK, or Factoring Attack on RSA-EXPORT Keys to be a little more formal about things.

Advertisement - Article continues below

What is FREAK?

What is FREAK, other than over-hyped that is? The simple answer is that it's a leftover weakness from political meddling by the US when Secure Sockets Layer (SSL) connection encryption was introduced. That meddling back in the early 1990's came in the form of export controls for encryption systems which enabled the US to use stronger encryption keys while international users had to make do with weaker ones.

In the case of SSL this originally meant Netscape deploying 40-bit cryptography for the international export grade versions, with the US keeping the de-facto stronger 128-bit version for themselves. This was supposedly to enable the NSA to be able to access communications, as only state sponsored outfits would have the required computing resources.

Advertisement
Advertisement - Article continues below

Things have changed since then, both in terms of scrapping that encryption export limit and supercomputer processing resources (via the cloud for example) being available to pretty much anyone who wants them. Unfortunately one thing hasn't changed, and that's the vulnerability discovered which means that some servers will accept RSA export-grade keys even when the client didn't ask for them.

Advertisement - Article continues below

It's actually exploiting a negotiation mode between servers and browsers that enables the server to downgrade the encryption requirement until the browser client can connect to it. Because the legacy export grade encryption is weaker, and computing resources are more powerful, the potential for decryption of SSL keys within hours using something powerful compute-wise exists. But does that potential, I ask again, equate to probability?

I'm with Phil Lieberman, CEO of Lieberman Software Corporation, here. "[FREAK is more of a] hypothetical threat to a limited collection of users and systems," he reckons, adding it's based on "a series of very unusual conditions." As Lieberman also points out, it's also an attack which requires sophisticated actors (most likely state sponsored) with tools and technologies not in common use.

"The attack is very difficult to set up and is in the realm of state-sponsored physical intrusion of your internet or Wi-Fi connection" Lieberman says.

Advertisement - Article continues below

"The mechanism described is a valid methodology, but it depends on physical compromise of your connection and a series of lucky coincidences, like you running the right browser and hitting the right websites." Whereas Heartbleed was a 'must patch' scenario for internet-facing sites, Lieberman insists - and I concur - FREAK is interesting, but shouldn't keep anybody awake at night. That is "unless their internet connection is tapped or are using Wi-Fi without encryption and authentication," he adds.

So, the sky is not falling, the world is not ending and all the Chicken Littles should calm down now.

There are a whole bunch of options (here's one) for checking if sites could be compromised, no matter how unlikely that may be in the real world, so use them and upgrade to something more modern and secure if needed. Ditto when it comes to browser clients (for example this one) and, if vulnerable, update the damn thing, or change to a client that isn't vulnerable.

Oh, and just for the record while you are doing the whole server security tweaking thing, why not also disable support for export cipher suites and enable forward secrecy. Now you know those little acorns make sense...

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/business-strategy/careers-training/356422/ibm-job-ad-calls-for-12-year-experience-with-6-year-old
Careers & training

IBM job ad calls for 12-years of experience with six-year-old Kubernetes

13 Jul 2020
Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
Visit/security/cyber-attacks/356417/trump-confirms-cyber-attacks-on-russia-election-trolls
cyber attacks

Trump confirms US cyber attack on Russia election trolls

13 Jul 2020