FREAK - TLS Downgrade attack on Android and iOS

    UPD : Internet Explorer, Chrome on Mac OS and Android, Safari on Mac OS and iOS, Blackberry Browser and Opera on Mac OS and Linux are also vulnerable.

    In the TLS implementation in OpenSSL and Apple, TLS / SSL was discovered by researchers from INRIA, IMDEA and Microsoft the vulnerability they called FREAK (Factoring attack on RSA-EXPORT Keys) . The vulnerability consists in insufficient verification when performing TLS Handshake on the client side, which leads to the possibility of lowering encryption during the execution of the “man in the middle” attack to use 512-bit RSA keys, which can be picked up by the attacker within a few hours.

    EXPORT Ciphersuites

    Around the middle of the 20th century, the United States introduced a law restricting the export of strong ciphers outside the country. It was allowed to export only specially weakened versions of ciphers, for example, with keys of 40 or 56 bits for symmetric and 512 bits for asymmetric encryption. Serious restrictions were in effect until the end of 1992, and by the beginning of 2000, most restrictions had been removed, although some remain to this day.
    Modern TLS standards still allow the use of such unstable types of encryption, and some web servers (26.3% of the total Internet according to zmap statistics) still allow them to be used to establish a TLS connection.

    It turned out that in the implementation of OpenSSL (Browser on Android) and Apple TLS / SSL (Safari) there is a bug that allows the "middle man" to force the client to use EXPORT encryption, even if the client has not announced its support. To do this, several conditions must be met at once:
    • Client uses vulnerable version of OpenSSL or Apple TLS / SSL
    • Support for EXPORT encryption is enabled on the server
    • An attacker has a RSA 512-bit private key

    Although the researchers managed to pick up the private part of the 512-bit RSA key for the website, exploiting the vulnerability in real life is difficult because EXPORT keys are either generated every time the web server is restarted, or they are unique for each client (the algorithm of work is the same as with DH-keys).

    What to do?

    Android users should temporarily abandon the built-in browser and use Chrome (or any other third-party browser).
    If you use OpenSSL in your program, make sure you have version 1.0.1k or later installed.
    iOS users have to wait to fix the vulnerability from Apple.


    Description of vulnerabilities from researchers
    Page with top sites using EXPORT
    Article by Matthew Green

    Also popular now: