VPN Articles and News

FREAK Flaw Allowed Hackers To Bypass HTTPS Security

By
Saturday, July 25th, 2015


Security researchers have discovered a critical security flaw which allows hackers to weaken HTTPS security and perform man-in-the-middle kind of attacks against ordinary internet users. Dubbed as FREAK (for Factoring attack on RSA-EXPORT Keys), the flaw has been in existence for almost two decades and is capable of infecting many different types of devices, operating systems as well as websites. The vulnerability was first discovered by Karthikeyan Bhargavan, who works as a security researcher at INRIA, Paris; in conjunction with security teams from miTLS and Microsoft.

As per the details published by the researchers, the FREAK flaw mostly affects programs running on Windows, iOS, Mac and Android operating systems. The vulnerability relies on weakened Secure Sockets Layer (SSL) and Transport Layer Security (TLS) ciphers present in a number of libraries, including OpenSSL, LibReSSL, BoringSSL, SChannel and SecureTransport; to carry out the attacks. Among the software products, any application that relies on old and compromised SSL/TLS libraries, including Internet Explorer, Chrome (older versions prior to version 41), Opera on Android and Mac, Android browser, Safari and Blackberry browser; is vulnerable to the glitch.

The FREAK vulnerability allows the attackers to monitor internet traffic between compromised servers and end user devices. With the help of the flaw, hackers can introduce malicious code between such communications and even force the underlying web sessions to use a weaker encryption (512 bit) in order to compromise the HTTPS security. The weaker cipher key is actually the legacy of the Clinton administration which asked US tech companies not to use strong encryption for technology exported out of US. This forced companies to use two different sets of cipher keys for their products – stronger commercial grade keys for the US market and weaker keys for other countries. While this practice was abandoned when the export controls were abolished, the weaker keys survived and have now struck back in the form of the FREAK flaw.

After the discovery of the flaw, researchers analyzed millions of sites to check how many of them were affected by the vulnerability. A quick analysis revealed that 36 percent of the sites using SSL/TLS libraries were vulnerable to such attacks out of which 36 percent were browser trusted sites and 12 percent were among the top one million sites of the world. The list of compromised sites included even high profile sites like FBI.gov, NSA.gov, WhiteHouse.gov, AmericanExpress.com and Bloomberg.com which clearly shows that no site is truly safe from the vulnerability.

Apple, Microsoft and Google have already released patches for the FREAK vulnerability. Additionally, a vast majority of websites that were initially vulnerable to the flaw are now considered safe from the glitch. However, many Smartphone manufactures are yet to issue a fix for the vulnerability which means hackers can still use it to carry out attacks against internet users. In order to remain totally safe from the FREAK glitch, it is advisable to switch to the latest versions of Operating systems and browsers which have retired older and compromised versions of SSL/TLS libraries.


July 25, 2015
Comments

Leave a Reply

Your email address will not be published. Required fields are marked *


0 + 3 =