Ramblings of an old Doc

 

If you thought that FREAK SSL/TLS security hole was only in programs using Apple’s SSL (old OpenSSL) – you’re wrong, and vulnerable. MS’s Secure Channel (SChannel) stack has it too. Great.

FREAK allows mitm (man-in-the-middle) attacks thanks to mistakes made decades ago. “As new technologies emerge, and cryptography hardens, many simply add on new solutions without removing out-dated and vulnerable technologies. This effectively undermines the security model you are trying to build.”, said As Andrew Avanessian, Avecto's EVP of consultancy and technology services.

We’re also days away from a patch, so there’s a good “How To” here: http://www.zdnet.com/article/how-to-protect-yourself-against-freak/

Who’s Vulnerable:

the following SSL/TLS client libraries, are vulnerable.

  • OpenSSL (CVE-2015-0204): versions before 1.0.1k.
  • BoringSSL: versions before Nov 10, 2014.
  • LibReSSL: versions before 2.1.2.
  • SecureTransport: is vulnerable. A fix is being tested.
  • SChannel: is vulnerable. A fix is being tested.

Web browsers that use these TLS libraries are open to attack. These include:

  • Chrome versions before 41 on various platforms are vulnerable.
  • Internet Explorer. Wait for a patch, switch to Firefox or Chrome 41, or disable RSA key exchange as detailed below using the Group Policy Object Editor
  • Safari is vulnerable. Wait for a patch, switch to Firefox or Chrome 41.
  • Android Browser is vulnerable. Switch to Chrome 41.
  • Blackberry Browser is vulnerable. Wait for a patch.
  • Opera on Mac and Android is vulnerable. Update to Opera 28 (when stable), switch to Chrome 41.

Your browser might even be safe, but:

“Chrome for Windows and all versions of Firefox are known to be safe. However, even if your browser is safe, certain third-party software, including some anti-virus products and adware programs, can expose you to the attack by intercepting TLS connections from the browser. If you are using a safe browser but our client test says you’re vulnerable, this is a likely cause.”

To see if your specific client system is vulnerable, run the FREAK Attack Client Check

Apple and Google will be releasing fixes this coming week.

So…if you want to blame someone for this vulnerability, blame the NSA. Yup:

“It seemed like such a good idea in the early 90s. Secure-Socket Layer (SSL) encryption was brand new and the National Security Agency (NSA) wanted to make sure that they could read "secured" web traffic by foreign nationals. So, the NSA got Netscape to agree to deploy 40-bit cryptography in its International Edition while saving the more secure 128-bit version for the US version. By 2000, the rules changed and any browser could use higher security SSL. But that old insecure code was still being used and, fifteen years later, it's come back to bite us.” – ZDNet

You see, the NSA made sure that the early SSL protocol itself was made to be broken.

So…all this reminds me of Mad Magazine’s Spy vs. Spy: Setting out to screw the enemy, you end up screwing yourself because if there’s one thing you can count on it’s if things can go wrong, they will and one other thing: People are lazy, and fix things in the laziest way possible.

 

 

Sources:

http://www.zdnet.com/article/how-to-protect-yourself-against-freak/

http://www.zdnet.com/article/freak-another-day-another-serious-ssl-security-hole/

http://www.zdnet.com/article/microsoft-reveals-windows-vulnerable-to-freak-ssl-flaw/

http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html


Comments (Page 2)
3 Pages1 2 3 
on Mar 08, 2015

Well, well.  The fix MS recommends breaks Windows Update.  One of the comments in the ghacks article mentioned it and sure enough, it's broken on my rigs - when I check for updates I get an unknown error.

It is MS, after all.

 

EDIT:  Reset to Not Configured, rebooted & Windows Update is working again.  What a cluster.

 

EDIT2:  Turns out the reason Chrome didn't initially pass was BitDefender on one machine and Avast on another, both of which scan SSL by default.  Disabled SSL scanning in the AV's config and Chrome 41 now passes on both rigs.  Did I mention cluster?

on Mar 08, 2015

What can I tell you, Daiwa? All this crap due to the NSA pushing 40 bit encryption (LONG since higher) on Netscape...and no one ever going back and fixing it.

Their antenna should tell you everything.

on Mar 08, 2015

^^ 

on Mar 08, 2015

ROFL... Oh!,   never mind the floor..  just laughing.

 

How does aviator (white hat) rank re security?

on Mar 08, 2015

teddybearcholla

The rest of the average pc users around the world know nothing and go on like normal.

Finally, I found the group I belong to. 

on Mar 08, 2015

Aviator passes the Freak Check here on Win7 64bit, FWIW.  And it claims to be more secure in general than Chrome (on which it is based). 

on Mar 09, 2015

lmao, voo. 

 

ElanaAhova

How does aviator (white hat) rank re security?

Extremely secure, Elana.

on Mar 09, 2015

DrJBHL

Their antenna should tell you everything.

Tomorrow's headline:

"NSA Thwarted By Giant Piece of Latex!"

on Mar 10, 2015

DrJBHL

lmao, voo. 

 


Quoting ElanaAhova,

How does aviator (white hat) rank re security?



Extremely secure, Elana.

 

wasn't that exposed when their source code was released?

Aviator in a nutshell is an outdated (by at least two major versions) Chrome with changed default settings + Disconnect + branding + very little poorly coded own stuff.

here's what Justin Schuh from Google Security has to say:

https://plus.google.com/+JustinSchuh/posts/69qw9wZVH8z 

 

there sure are some benefits using something like Aviator for people that are not capable to change settings and to install extensions, but i really wouldn't call an outdated browser extremely secure.

recommended links from Justin Schuh's post:

https://noncombatant.org/2014/03/11/privacy-and-security-settings-in-chrome/

https://www.google.com/chrome/browser/privacy/whitepaper.html

 

on Mar 10, 2015


https://noncombatant.org/2014/03/11/privacy-and-security-settings-in-chrome/

If you notice, he recommends those settings if you use Tor. I don't need that NSA magnet.

Aviator strips info so the user is less vulnerable (in protected mode)...not outdated as far as I can see. Also, it's updated and maintained, so fewer worries there.

on Mar 10, 2015

DrJBHL

If you notice, he recommends those settings if you use Tor. I don't need that NSA magnet.

no, he does not. Tor is mentioned briefly one single time, the recommendations in that post have nothing to with it.

 

DrJBHL

not outdated as far as I can see.

look again. in Aviator enter aviator://version/ in the address bar. it is now 4 major versions behind Chrome/Chromium

 

DrJBHL

Also, it's updated and maintained, so fewer worries there.

the last time it was updated was in December 2014


edit: wrong commit history. so, there actually are a few bugfixes. 

https://github.com/WhiteHatSecurity/Aviator/commits/master

 

 

on Mar 10, 2015

DrJBHL

Also, it's updated and maintained, so fewer worries there.

regarding your statement, this post from WhiteHatSecurity might be interesting:

https://blog.whitehatsec.com/aviator-going-open-source/

So we hope that people use the browser and make it their own. We won’t be making any additional changes to the browser; Aviator is now entirely community-driven. We’ll still sign the releases, QA them and push them to production, but the code itself will be community-driven.

is there such a thing as an "Aviator community"? looking at the commit history, there is just one single person contributing to the code. seems Aviator has been abandoned.



on Mar 10, 2015

Reminds me an old Slashdot joke:

Man speaking to his phone: "Hello! Can anybody hear me?"

NSA analyst: "No." 

on Mar 10, 2015

Maintaining a browser code is a huge effort that needs funding, manpower and determination. It's far better if the existing teams patch up their product than to start a community-driven "hooray" initiative that dies after a few months. 

3 Pages1 2 3