Apache Lounge



Forum Index Downloads Search Register Log in  RSS Apache Lounge

Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.



A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.

FREAK attacks SSL/TLS clients

Post new topic   Reply to topic    Apache Forum Index -> News & Hangout

View previous topic :: View next topic  
Author Message

Joined: 15 Oct 2005
Posts: 2685
Location: Hilversum, NL, EU

PostPosted: Fri 06 Mar '15 22:46    Post subject: FREAK attacks SSL/TLS clients Reply with quote

Got this from Ivan's Bulletproof TLS Newsletter:

Dear Steffen Land,

This week brought us the disclosure of the so-called FREAK attack [1],
whose name stands for Factoring RSA Export Keys. At the first glance,
it seemed that FREAK is just a practical exploit for CVE-2015-0204 [2],
which is a problem with OpenSSL announced back in January this year.
Matthew Green has a good post describing the problem [3], but we'll
get back to that later. Now that a couple of days have passed, it turns
out that the problem is much bigger and that all major browsers except
Firefox were or are still vulnerable to the same problem, even those
browsers that don't rely on OpenSSL. Chrome, Internet Explorer, Opera,
and Safari were all reported vulnerable.

To understand the problem we need to go back many years, to the time
now long past when the US wouldn't allow export of strong encryption.
This led to the creation of so-called export cipher suites, which are
limited to 512 bits of security. Back then (about two decades ago),
512 bits was somewhat weak-ish, but certainly not within easy reach of
many. Today, of course, it's a different story -- it can be broken
within hours, and for as little as $100. [3]

To support export cipher suites, servers have to create and use
short-lived 512-bit RSA keys, even when normally using stronger keys
(1024 bits originally, 2048 bits these days). The FREAK attack exists
for three reasons. First, these 512-bit keys can now be broken by
anyone in a matter of hours, and second, some servers keep these
"short-lived" keys around for a very long time. What this means is
that servers that support export suites are effectively willing to
downgrade to only 512 bits of security.

But that isn't enough. Modern clients don't support export suites any
more, which means there's no one to ask to use these weak security
levels. That's where CVE-2015-0204 comes in. This problem "makes"
vulnerable clients accept weak 512-bit RSA keys even when they don't
ask to use export cipher suites and even if they don't support them!
Normally, a server wouldn't do that, but an active network attacker

This has two practical consequences. First, an active network attacker
can downgrade any connection to only 512 bits of security, if the
conversation is between a server that supports export suites and a
vulnerable client. This means that even if the attacker can't break
the 512-bit key straight away, she can record the conversation and
break the key later... but only a matter of hours later.

With servers that reuse these weak keys, it gets worse. An attacker can
retrieve the key by connecting to the server, break the key, then mount
an active network attack that allows her to intercept traffic (with a
vulnerable client) in real time.

What can you do about this? If you're running a secure server, make
sure that you're not supporting export cipher suites. If you're not
sure, test with the SSL Labs server test [4]. To protect yourself,
upgrade your browser as soon as your vendor releases a patch.
OpenSSL was fixed in January, Chrome on OSX this week. If we're lucky,
the remaining browsers might be patched next week. To test your browser,
visit the SSL Labs client test [5].

You can find further information on the web site maintained by the
University of Michigan [6].

[1] SMACK: State Machine AttaCKs

[2] CVE-2015-0204

[3] Attack of the week: FREAK (or 'factoring the NSA for fun and profit')

[4] SSL Labs Server Test

[5] SSL Labs Client Test

[6] Tracking the FREAK Attack

Back to top

Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London

PostPosted: Sat 07 Mar '15 0:49    Post subject: Reply with quote

I use cloudflare so they was already ontop of this.

Back to top

Joined: 08 Mar 2015
Posts: 3
Location: Oman

PostPosted: Sun 08 Mar '15 8:52    Post subject: Reply with quote

Thanks Steffen for the detail info

Is there any to mitigate the possibility of exploitation before openssl update, i guess openssl 1.0.1m update will fix this issue

Changes between 1.0.1l and 1.0.1m [xx XXX xxxx]
*) Removed the export ciphers from the DEFAULT ciphers
[Kurt Roeckx]

Best Regards

Mohammed Khalid
Back to top

Joined: 16 Oct 2007
Posts: 2169
Location: Sun Diego, USA

PostPosted: Wed 11 Mar '15 4:39    Post subject: Reply with quote

skhalid199 wrote:
Is there any to mitigate the possibility of exploitation before openssl update, i guess openssl 1.0.1m update will fix this issue

Yes, as I read it, if you are using at least OpenSSL 1.0.1k, 1.0.0p or 0.9.8zd, you are half way safe. It now becomes a matter of your configuration.

If you allow Export ciphers in SSLCipherSuite (e.g. EXP, EXPORT40, EXPORT56) then yes you are. If you have none of those and do have !EXP in there you should be safe. The ciphers canot be downgraded to Export.

Test your server, there's a couple tests linked in the above post. SSL Labs test will show you all ciphers that can be used.
Back to top

Joined: 25 May 2014
Posts: 78

PostPosted: Wed 11 Mar '15 13:07    Post subject: Reply with quote

I'd try this for apache,

SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
Back to top

Post new topic   Reply to topic    Apache Forum Index -> News & Hangout
Page 1 of 1