The security industry was whipped into a frenzy this week with the discovery of the FREAK vulnerability, which enables a determined attacker to downgrade SSL traffic from “strong” RSA encryption to “export-grade” RSA encryption. The vulnerability exists because of a U.S. government policy from the 1990s that required weaker “export-grade” encryption in products sold to foreign countries – essentially, a backdoor.
The exploit is described in detail by the researchers at SmackTLS.com. The Washington Post describes it well:
“The export-grade encryption had 512 bits, the maximum allowed under U.S. restrictions designed to limit trade in military technologies in the 1990s, during a an era often called “The Crypto Wars” because of pitched political battles over deploying cryptographic algorithms that even advanced government computers had trouble cracking. But 512-bit cryptography has been considered unacceptably weak for more than a decade. Even experts thought it had disappeared.”
While the discovery of the FREAK vulnerability may be new, it is a classic man-in-the-middle attack. However, the news that Microsoft Windows is also vulnerable means FREAK is far more serious than we initially though.
The FREAK vulnerability provides another proof point in a long line that underscores how security principles from the last millennium are no long applicable in the cloud and mobile era; especially when you factor in SSL traffic.
The network security perimeter is often described as a moat around the castle, which is a great analogy, except that we don’t live in castles and our attackers don’t come riding in on horseback.
However, the real damage done by these sort of vulnerabilities is against the trust of the security industry. When government interference deliberately weakens security, the government is left looking humiliated by its own policies. The problem with FREAK is forcing devices to use old “export-grade” encryption that was inherently weak. In the 1990s, these weak ciphers required the computing resources of a nation state to brute force, but now you can rent a cloud cluster to do the work in a few hours for $100.
FREAK raises some serious questions about how the security protocols of days past may affect us today and in the future. To prepare for this future, we must abandon some principles of the past. Latent vulnerabilities will surface in older infrastructure. Attackers will exploit any opportunity and the legacy base is full of holes, so CIOs need to continually upgrade and patch where they can. The security industry must embrace new architectures that can prevent cyber attacks even when vulnerabilities exist. That’s a big part of what we’re working on here at Bromium.”