{"id":75900,"date":"2015-03-12T22:59:13","date_gmt":"2015-03-13T02:59:13","guid":{"rendered":"http:\/\/rbachnet.wwwmi3-ss40.a2hosted.com\/index.php\/"},"modified":"2021-08-12T21:24:19","modified_gmt":"2021-08-13T01:24:19","slug":"what-the-freak","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/what-the-freak\/","title":{"rendered":"What the FREAK !"},"content":{"rendered":"

\"What<\/a>Earlier this month news broke that Google, Apple, and Microsoft are vulnerable to a new bug<\/strong> poetically called \u2013 Factoring RSA Export Keys \u2013 FREAK<\/strong>. The cause of the FREAK bug is not new. In fact, the origin of the FREAK back goes back to the 1990s and government meddling.<\/p>\n

\"weaker<\/a>Paul Dirkin<\/a> at Sophos’<\/a> Naked Security<\/a><\/em> blog explains<\/a> that FREAK<\/strong> is a risk to all users. It is a risk because an attacker can trick you and the server into settling on a much weaker HTTPS encryption<\/strong> scheme than from the 1990s. Basically, the attacker gets you to use what’s called “export grade” RSA encryption<\/a>. <\/strong>Export grade encryption is\u00a0a ghost from an earlier U.S. Gooberment<\/strong> attempt to break encryption. In the ’90s the NSA required exported encryption to be deliberately weakened. The idea was that export grade keys were just about good enough for every day, not-so-secret use, but could be cracked by superpowers with supercomputers if national security should demand it.<\/p>\n

No one should be using export-grade keys anymore \u2013 indeed, no one usually does. But many clients and servers still support them according to Sophos. Somehow, in 2015 it never seemed to matter that the 1990 code was still lying around.<\/p>\n

\"U.S.<\/a>If attackers can watch the traffic flowing between vulnerable devices and websites they could inject code<\/strong> that forces both sides to use 512-bit encryption, which can be easily cracked. It took researchers seven months to crack the key In 1999, the article claims that the same crack takes about 12 hours and $100 using Amazon’s<\/a> (AMZN<\/a>) cloud in 2015. It would then be technically pretty straightforward to launch a MITM<\/a> by pretending to be the official website.<\/p>\n

Now that your security is compromised, an attacker can use a “man in the middle” attack (someone who can listen into and change the network traffic between you and your destination server).<\/p>\n

\"Factoring\"<\/a>Additionally, the author says many servers use the same RSA key over and over again. This allows attackers to use the compromised export grade key to decrypt other sessions, using the same key. Another risk Sophos claims is that export-grade keys allow evil-doers to steal both the public and private keys by using a technique known as “factoring the modulus,”\u00a0 With the critical private key, criminals can now sign traffic from an imposter website as though it came from a trusted third-party.<\/p>\n

The author says the team that identified the original FREAK vulnerability claim to have used this bug to create a fake nsa dot gov.\u00a0University of Michigan<\/a> computer scientists<\/a> J. Alex Halderman and Zakir Durumeric, told InfoSecurity<\/a><\/em> that the vulnerability affects around 36% of all sites trusted by browsers and around 10% of the Alexa top one million domains.<\/p>\n

The good news, according to Sophos: Users of Chromium\/Chrome and Firefox are OK.<\/strong><\/p>\n

The bad news – the bug affects TLS\/SSL, the security protocol that puts the S into HTTPS and is responsible for the padlock in your browser’s address bar. The bug<\/strong> is known to exist in:<\/p>\n