Update 1:01 p.m.: “The agility TLS suffers from swelling of his inheritance: After 20 years of evolution of the standard, it has many versions , extensions, and cipher suites, some of which are no longer used or known to be non-secure “the researchers write in the report devoted to FREAK attacks. And this legacy is precisely one of the causes of this new security risk identified on the Internet.
Indeed, the proliferation of versions of the protocol, authentication modes and key exchange methods to establish a secure connection between a client and a server has generated “bugs” and “several critical security vulnerabilities.” And these flaws remained hidden in “these bookstores for years.”
For security experts behind the discovery of these vulnerabilities, “the implementations of cryptographic security analyzes have focused on the flaws of the protocol structures”, leaving the examination machines state or “state machines.”
IT researchers have identified a new critical vulnerability in the SSL (Secure-Socket Layer) and allowing attackers to intercept and break the encryption of exchange in principle protected.
The vulnerability and the resulting attack, was baptized FREAK for RSA Factoring Export Keys. Why? As it benefits from the export of encryption keys whose robustness is low, thereby breaking them.
A legacy of the past
If this ban was lifted thereafter remain traces of this US policy in many implementations of encryption. Researchers have discovered in recent weeks that it was possible to force the browser to go back to a lower level of encryption, and that it was possible to break it in the space of a few hours, for example by buying computing resources on AWS.
FREAK thus affects browsers, but also a large number of Web servers, so sites, and various SSL implementations. And among vulnerable sites, ironically, are therefore included the White House, the FBI and the NSA, all currently hostile to development of encryption.
A third of vulnerable sites
According to tests carried out by experts from the University of Michigan, one third of sites using encryption prove vulnerable to attacks FREAK. This is particularly the case for those using OpenSSL (a patch exists) and client TLS / SSL Apple. Besides the Safari browser editor is vulnerable, like the one built into Android. Chrome, Firefox and Internet Explorer are however not concerned.
Among the affected sites, many of those who exploit the CDN Akamai. The firm has already indicated that it was working on a fix for its Web servers. Apple announced that a patch would be available next week. Google has provided a fix for operators and builders, that they will have to deploy.
No comments:
Post a Comment