Old Government Policies Influenced the FREAK Security Flaw

Old Government Policies Influenced the FREAK Security Flaw

I guess it's not a flaw until someone discovers it.

I have it on good faith that Troy Hunt is working up some commentary for his new WindowsITPro Security Sense feature covering the latest uncovered flaw in Apple and Android platforms. Troy has a lot of technical acumen in the security arena and I'm looking forward to reading his thoughts next week. However, it's important that this newly discovered vulnerability gets as much exposure as possible, since it affects many of you.

Yesterday, security researchers reported a security flaw that has actually existed since the 1990's. FREAK, which stands for "Factoring attack on RSA-EXPORT Key," is blamed on old U.S. government policy that required U.S. software companies to use weaker encryption in products sold overseas to protect national security interests. The policy was abandoned over a decade ago, but the backdoor remnants still exist in web browsers for Apple and Android devices.

The Tracking the FREAK Attack web site offers this explanation for the flaw:

A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204. Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.

Apple and Google have both promised a fix soon to repair the flaw. Apple's will not come until next week. Google has provided a fix to device makers and wireless providers already, but it's up to these third parties to decide when and how to proliferate the fix. Until then, anyone using an Apple web browser or the browser built into Android should beware.

About a third of all sites with encrypted communications are vulnerable. Researchers at the University of Michigan have given some examples of sites that could reveal visitor information to hackers due to the lax encryption security. Those include sites like American Express, Kohl's, Marriott, ZDNet and sites maintained by government agencies. The full list is HERE. Web owners that want to check to see if their own web site is vulnerable to the flaw can use the SSL Server Test at the Qualys web site to see: SSL Server Test.

Until a permanent fix is available, web managers should do the following:

If you run a web server, you should disable support for any export suites. However, instead of simply excluding RSA export cipher suites, we encourage administrators to disable support for all known insecure ciphers (e.g., there are export cipher suites protocols other than RSA) and enable forward secrecy.

Additionally, the FREAK Attack web site tells of a published a guide and SSL Configuration Generator on the Mozilla web site, that helps generate known good configurations for common servers.


Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.