Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    FREAK Attacks SSL/TLS Security, Putting Apple, Android Users at Risk

    By
    Sean Michael Kerner
    -
    March 4, 2015
    Share
    Facebook
    Twitter
    Linkedin
      FREAK flaw

      The integrity of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption is the focal point for a newly discovered vulnerability known as Factoring attack on RSA-EXPORT Keys, or FREAK, that could potentially enable attackers to decrypt secured data traffic.

      The FREAK vulnerability, also identified as CVE-2015-0204, is a cryptographic weakness that is triggered by use of what is known as export-grade cryptography. It was reported by the miTLS research effort, which is a joint project of INRIA and Microsoft Research.

      “This attack targets a class of deliberately weak export cipher suites,” the miTLS researchers stated. “As the name implies, this class of algorithms were introduced under the pressure of US governments agencies to ensure that they would be able to decrypt all foreign encrypted communication, while stronger algorithms were be banned from export (as they were classified as weapons of war). “

      The flaw is actually inside the open-source OpenSSL cryptographic library for versions prior to 1.0.1k, and it has already been patched in the upstream open-source project. According to the CVE advisory, the FREAK attack “allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role.”

      Servers that support the use of the export-grade cryptography are at risk, as well as Google’s Android and Apple’s Safari Web browser.

      “We encourage all websites to disable support for export certificates,” a Google spokesperson told eWEEK in an email. “Android’s connections to most websites—which include Google sites, and others without export certificates—are not subject to this vulnerability.”

      The Google spokesperson added that Google has also developed a patch to protect Android’s connection to sites that do expose export certs, and that patch has been provided to partners. The miTLS researchers noted in their discussion of the FREAK flaw that they informed the affected vendors, and Apple has advised them that a patch is coming.

      The FREAK attack joins a number of vulnerabilities in SSL/TLS that have been revealed in recent years. In October 2014, Google researchers disclosed the POODLE vulnerability in SSL 3.0. Heartbleed, a high-impact flaw in OpenSSL, was disclosed in April 2014. In 2011, the BEAST attack against SSL/TLS, which still impacts approximately 80 percent of sites tested by Qualys Labs’ SSL Pulse service, was disclosed.

      The discovery of yet another SSL/TLS vulnerability is not a surprise to Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

      “There are most certainly many more protocol, crypto and certificate vulnerabilities out there lurking,” Bocek said.

      Bocek added that SSL/TLS and their associated digital certificates are the foundation of security on the Internet. As a result, regardless of the vulnerability, the basic lesson is the same: SSL/TLS, keys and certificates are too important to be treated with blind trust.

      “Heartbleed was just a pinprick and with more sites using encryption and certificates than ever before, the target is getting bigger for the bad guys,” he said. “Their interest in intercepting encrypted traffic, spoofing trusted sites or hiding in encryption is only growing.”

      Bocek suggests that for IT security professionals, the right path forward is to not take SSL/TLS and certificates for granted.

      “Know what crypto you’re using and know everywhere you have certificates—including out in the cloud and with CDNs [content delivery networks],” he said. “All the vulnerabilities and attacks on SSL/TLS and certificates have shown us that time is up.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×