Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Data Security / Freak Vulnerability Haunts Web Sites
Web Security Haunted by Freak Vulnerability
Web Security Haunted by Freak Vulnerability
By Shirley Siluk / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
A "zombie" vulnerability left over from decades-old U.S. security policies on encryption could leave a huge number of Web sites open to "man-in-the-middle" attacks when viewed with OpenSSL browsers like Android or with Apple Safari, a team of researchers has found. The so-called FREAK attack arises when certain browsers attempt to establish a connection with Web servers, enabling acceptance of less-than-secure encryption keys.

FREAK, which stands for "Factoring RSA Export Keys," was discovered by cryptographers with the French research establishment INRIA, Spain's IMDEA research institute and Microsoft Research. They found that Safari's SecureTransport and Google's OpenSSL clients could be "tricked" into accepting a less-secure encryption key from a Web server because of a flaw left over from 1990s-era U.S. government export controls on encryption technologies.

Those controls required encryption systems exported from the U.S. to have weaker standards than those sold in the U.S. While today's requirements are no longer so stringent, those export-grade security connections may still be enabled for many Web sites.

FREAK Enabled on NSA, FBI Web Sites

We contacted the research team to learn more about how they discovered the FREAK vulnerability.

"We were analysing various SSL/TLS clients (e.g. browsers) and servers (Web sites) as part of a research project and we found a number of unexpected behaviors (see," INRIA researcher Karthikeyan Bhargavan said via email. "Some of these behaviors resulted in attacks, such as FREAK."

FREAK works by messing with the standard encryption requirements for establishing Internet connections. The SSL protocol created by Netscape in the 1990s -- and the TSL protocol that replaced it -- requires an RSA encryption key to connect a client browser with a Web server. FREAK, however, enables the client to accept a less-secure, export-grade 512-bit RSA key rather than a standard RSA key.

"Support for these weak algorithms has remained in many implementations such as OpenSSL, even though they are typically disabled by default; however, we discovered that several implementations incorrectly allow the message sequence of export ciphersuites to be used even if a non-export ciphersuite was negotiated," the research team wrote. "Thus, if a server is willing to negotiate an export ciphersuite, a man-in-the-middle may trick a browser (which normally doesn't allow it) to use a weak export key....

"Ironically, many U.S. government agencies (including the NSA and FBI), as well as a number of popular Web sites (IBM, or Symantec) enable export ciphersuites on their server -- by factoring their 512-bit RSA modulus, we can impersonate them to vulnerable clients."

Thousands of Web Sites Affected

The FREAK Attack Web site lists numerous sites the researchers have found supporting RSA export-grade cipher suites. They included 9.7 percent (the figure was previously 12.2 percent) of the top million domains on Alexa and 36.7 percent of browser-trusted sites.

While no man-in-the-middle attacks have been observed due to the FREAK vulnerability, the research team is advising Web server operators to disable support for any export suites and to enable forward secrecy.

Akamai, whose content delivery networks serve many sites found to have the vulnerability, said in a blog post Monday that it had rolled out a fix on its Secure Network and was working with clients to make the changes needed to secure their sites.

The company had been contacted by the research team last week, an Akamai spokesperson said.

"We have not seen any evidence of attack," the spokesperson told us. "We do a great deal of monitoring of the traffic on our network, and the daily reports have not shown any increase in the use of export ciphers."

The discovery of the vulnerability, though, adds a new dimension to the already-contentious dialog between tech companies who are promoting stronger encryption standards and security agencies like the FBI and NSA that say they need to have built-in, "backdoor" access to networking and communications systems.

"Backdoors in cryptography are generally a bad idea, because a door you leave open for yourself may also one day be used by others," Bhargavan said. "To me that is the lesson from this attack."

Tell Us What You Think


G A Tolmas:
Posted: 2015-03-05 @ 10:30am PT
A demonstration of how yesterday's regulations when applied to todays technology can and will come back to bite: The extending of the Communications Act to cover the Internet by the FCC is an approaching train wreck.

Like Us on FacebookFollow Us on Twitter

Over the past decade, hospitals have been busy upgrading their systems from paper to electronic health records. Unfortunately, spending so much on EHR may have left insufficient funds for security.
The British government officially blamed Russia for waging the so-called NotPetya cyberattack that infected computers across Ukraine before spreading to systems in the U.S. and beyond.
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.