FREAK is a new man-in-the-middle (MITM) vulnerability discovered by a group of cryptographers at INRIA, Microsoft Research and IMDEA.
FREAK stands for “Factoring RSA-EXPORT Keys.” As for the “A”, it may be a stand for Apple or Android to be discussed below.
The vulnerability dates back to the 1990s, when the US government banned selling crypto software overseas, unless it used export cipher suites which involved encryption keys no longer than 512-bits.
The issue is there are still some clients who let crypto be degraded from “strong RSA” to “export grade RSA”. These clients use OpenSSL and Apple’s Secure Transport. As such, Android mobiles are impacted, as well as Apple devices such as Macs, iPhones and iPads.
There are two parts of the attack as the server must also accept “export grade RSA.” Studies have shown that of 14 million browser trusted websites, 36 per cent will drop down to 512 bits or below.
So how can an attack be implemented? First, the user on a vulnerable browser addresses a legitimate website where the browser asks for a standard RSA ciphersuite. The communication is intercepted by a MITM and the MITM asks the legitimate website for “export grade RSA.” The MITM then completes the TLS handshake with the browser, but with the lower level of crypto.
Now the MITM can crack the small sized key. This attack can be done with a decent PC and about 2 weeks or about $100 using Amazon cloud and a few hours. With the key cracked, the MITM can decrypt the TLS master secret, then the session can be analyzed or changed.
The issue is aggravated as generating RSA keys is costly. As such, modern web servers do not change them for every single connection. In some cases, the key is used for the lifetime of the server. This means you don’t have to be that fast to break a key.
How bad is the FREAK vulnerability? Ivan Ristić states the following, “In practice, I don’t think this is a terribly big issue, but only because you have to have many “ducks in a row”: 1) find a vulnerable server that offers export cipher suites; 2) it should reuse a key for a long time; 3) break key; 4) find vulnerable client; 5) attack via MITM (easy to do on a local network or wifi; not so easy otherwise).”
Moving forward, Apple and Android will have to issue patches to correct their operating systems, browsers and devices. Unfortunately for Android users, Google does not patch the device, this is done by the carrier. As such, we don’t know if those users will be patched.
This means that the solution needs to be done at the server end. Your server should disable support for any export suites. Administrators should be encouraged to disable all insecure ciphers and enable suites which support perfect forward secrecy. Mozilla has a guide with recommended configurations.
Use the Entrust SSL Server Test to check your server.
Updated March 6, 2015: Users can test their browsers at SSL Labs Browser Test.
Updated March 6, 2015: Microsoft has announced that Windows is also susceptible to the FREAK vulnerability.