Ramblings of an old Doc

 

If you thought that FREAK SSL/TLS security hole was only in programs using Apple’s SSL (old OpenSSL) – you’re wrong, and vulnerable. MS’s Secure Channel (SChannel) stack has it too. Great.

FREAK allows mitm (man-in-the-middle) attacks thanks to mistakes made decades ago. “As new technologies emerge, and cryptography hardens, many simply add on new solutions without removing out-dated and vulnerable technologies. This effectively undermines the security model you are trying to build.”, said As Andrew Avanessian, Avecto's EVP of consultancy and technology services.

We’re also days away from a patch, so there’s a good “How To” here: http://www.zdnet.com/article/how-to-protect-yourself-against-freak/

Who’s Vulnerable:

the following SSL/TLS client libraries, are vulnerable.

  • OpenSSL (CVE-2015-0204): versions before 1.0.1k.
  • BoringSSL: versions before Nov 10, 2014.
  • LibReSSL: versions before 2.1.2.
  • SecureTransport: is vulnerable. A fix is being tested.
  • SChannel: is vulnerable. A fix is being tested.

Web browsers that use these TLS libraries are open to attack. These include:

  • Chrome versions before 41 on various platforms are vulnerable.
  • Internet Explorer. Wait for a patch, switch to Firefox or Chrome 41, or disable RSA key exchange as detailed below using the Group Policy Object Editor
  • Safari is vulnerable. Wait for a patch, switch to Firefox or Chrome 41.
  • Android Browser is vulnerable. Switch to Chrome 41.
  • Blackberry Browser is vulnerable. Wait for a patch.
  • Opera on Mac and Android is vulnerable. Update to Opera 28 (when stable), switch to Chrome 41.

Your browser might even be safe, but:

“Chrome for Windows and all versions of Firefox are known to be safe. However, even if your browser is safe, certain third-party software, including some anti-virus products and adware programs, can expose you to the attack by intercepting TLS connections from the browser. If you are using a safe browser but our client test says you’re vulnerable, this is a likely cause.”

To see if your specific client system is vulnerable, run the FREAK Attack Client Check

Apple and Google will be releasing fixes this coming week.

So…if you want to blame someone for this vulnerability, blame the NSA. Yup:

“It seemed like such a good idea in the early 90s. Secure-Socket Layer (SSL) encryption was brand new and the National Security Agency (NSA) wanted to make sure that they could read "secured" web traffic by foreign nationals. So, the NSA got Netscape to agree to deploy 40-bit cryptography in its International Edition while saving the more secure 128-bit version for the US version. By 2000, the rules changed and any browser could use higher security SSL. But that old insecure code was still being used and, fifteen years later, it's come back to bite us.” – ZDNet

You see, the NSA made sure that the early SSL protocol itself was made to be broken.

So…all this reminds me of Mad Magazine’s Spy vs. Spy: Setting out to screw the enemy, you end up screwing yourself because if there’s one thing you can count on it’s if things can go wrong, they will and one other thing: People are lazy, and fix things in the laziest way possible.

 

 

Sources:

http://www.zdnet.com/article/how-to-protect-yourself-against-freak/

http://www.zdnet.com/article/freak-another-day-another-serious-ssl-security-hole/

http://www.zdnet.com/article/microsoft-reveals-windows-vulnerable-to-freak-ssl-flaw/

http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html


Comments (Page 3)
3 Pages1 2 3 
on Mar 10, 2015

Thanks for the links, moshi.  They raise an eyebrow a millimeter or 2 concerning Aviator, but more importantly are a good source of info for securing Chrome itself.

on Mar 10, 2015

^ ^

on Mar 10, 2015

Version 37.0.2062.99 (2.6) is the current one...

I don't know how they number their updates, so I'm at a disadvantage as to what each one included.I also don't know what they consider a "Major" vs. a "Minor" update.

How does Aviator stay up to date?

Aviator has an automatic update system. Every five hours Aviator will check with our server to see if a newer version is available. If an update’s available it will be downloaded in the background and it will install upon restarting Aviator.

So...clearly it's updated.

on Mar 10, 2015

DrJBHL

I don't know

yeah, i thought so. i'll try to explain:

numbers before the first dot are major version numbers

2.6 is the (internal) Aviator version number

37.0.2062.99 is the Chromium version number, which was already outdated when they first used it for Aviator 2.5. you can also see that they did not update the Chromium base when going from 2.5 to 2.6

in Justin Schuh's post you can see why they have to use such outdated Chromium versions, they managed to ruin the necessary feature of version parity themselves. (i am sure you don't need an explanation why version parity would be required)

besides that, JavaScript is outdated in Aviator as well.

 

 

DrJBHL

So...clearly it's updated.

how is that clear? your quote says it does check for updates and if there would be an update it would install silently. that's all. 

again, directly from WhiteHatSecurity: "We won’t be making any additional changes to the browser. ". they hope for some (fictional) community to do that.



so, as a final post from me:

if you want to believe Aviator is an "extremely secure" browser, that's fine. if you manage to ignore the new vulnerabilities Avatior has added (and you can absolutely do that. i doubt anyone will ever bother to exploit those as the browser has hardly a userbase), then you would be very correct to say that Aviator is more secure than Chrome 37 with default settings.

it could be worse. if i remember correctly there is also a user here that thinks Internet Explorer 8 (or maybe even 7) is a secure browser.

looking at the screenshots you post regularly it seems Chrome is your main browser anyways.


on Mar 10, 2015

Failed the test yesterday

Monthly Microsoft updates today.

Rechecked and all OK

Using IE11

Macca

on Mar 10, 2015


how is that clear?

It's clear from their version numbers.

on Mar 10, 2015

Monthly updates today from MS fixed IE, well atleast for me it did. 

on Mar 10, 2015


Thanks for the links, moshi.  They raise an eyebrow a millimeter or 2 concerning Aviator, but more importantly are a good source of info for securing Chrome itself.

Indeed.

on May 13, 2015

DrJBHL

So...clearly it's updated.

 

two months later, current status:

- no updates

- now 5 major versions behind Chrome/Chromium

- no commits on Github as well

on May 30, 2015

That's the NSA for you. You'd be surprised what else they (and other agencies) have done over the years to screw us in the name of "safety". Unfortunately when people find out legitimate information on things like this people don't believe them and they instantly get labeled as a nut job or conspiracy theorist. Look up the history of the OSS some time. Some of what they did back in the day will knock your socks off.

3 Pages1 2 3