@threatintel | www.symantec.com
#FREAK
FREAK TARGETS WEAK CRYPTO LATEST SSL VULNERABILITY ENABLES ATTACKS AGAINST SOME
SECURE CONNECTIONS
CLIENT
PRECAUTIONS User: Use non-vulnerable browser (Chrome, Firefox) Admin: Disable support for weak cipher suites such as export grade encryption
REMEMBER TO UPGRADE SOFTWARE WHEN PATCHES BECOME AVAILABLE
SOME BROWSERS CAN BE FORCED TO USE WEAK
EXPORT GRADE KEYS
MAN-IN-THE-MIDDLE ATTACK
FORCE DOWNGRADE ENCRYPTION FROM STRONG TO EXPORT GRADE (<= 512 BIT)
EXPORT GRADE ENCRYPTION <= 512 BIT KEYS
512 BIT TOO WEAK
7 HOURS IS ALL IT TAKES TO CRACK A 512 BIT ENCRYPTION KEY (Using < 100 typical PC’s)
TIMELINE OF SSL/TLS INSECURITY
1990s 512 bit export grade encryption key size was considered acceptable for public use but still allowed governments to decrypt communications if needed. 2000s (EARLY) Relaxation of controls on non-military grade cryptography. 1024 bit keys widely used and considered safe. 2013 Certificate Authority/Browser Forum increases the key size for Root CA certs. Baseline requirements jump from 1024 bits to 2048 bits. This should provide security headroom…for a while. 2014 • HEARTBLEED – SSL information leak vulnerability affecting many
SSL implementations.
• POODLE – SSL encryption downgrade dance can allow attackers to force weaker encryption on SSL connections which can then be cracked/hijacked.
• FREAK – Discovery of FREAK vulnerability, affecting many server implementations and browsers, could allow for multiple attack scenarios.
SOME SERVERS STILL SUPPORT EXPORT GRADE CIPHER SUITES
SERVER
RAPIDLY INCREASING PROCESSING
POWER MEANS WHAT WAS CONSIDERED SECURE IN THE 90s IS
NO LONGER SECURE NOW
MOORE’S LAW
Sources: https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status https://www.cabforum.org/wp-content/uploads/Baseline_Requirements_V1.pdf http://www.symantec.com/connect/blogs/heartbleed-bug-poses-serious-threat-unpatched-servers http://www.symantec.com/connect/blogs/poodle-vulnerability-old-version-ssl-represents-new-threat