Thursday, 5 March 2015

New TLS / SSL Leak Hits Android And Apple Users

Researchers have discovered a new leak in TLS / SSL encrypted connections allowing attackers from Android and Apple users attacks. The problem that the name " FREAK Attack "has been, in some TLS / SSL servers and present clients, and allows an attacker located between the target and the Internet is the security of the TLS connection to a weak encryption can downgrade . Then this encryption can be attacked and content viewed from the protected traffic.

The vulnerability is caused by the US export policy in the early 1990s, making strong encryption could not be exported.Instead, there was only "export-grade" RSA encryption are supplied. The encryption keys were in this case only 512-bits wide.According cryptography professor Matthew Green was the 512-bit export-grade encryption weigh "dumb and dumber". "In theory was developed to ensure that the NSA communication could approach, while there could also be argued that the cryptography" "for commercial use." Good enough

According to Green led the need to support export-grade encryption to technical challenges. American servers were namely support both strong and weak encryption. The SSL developers were using a mechanism to set up a secure connection between two parties support the strongest encryption chooses which both parties. In theory, American users with American servers than strong encryption can use, while foreign clients with weak encryption are supported.

Most modern clients, such as browsers, would be to set up an encrypted connection is no export-grade encryption offer more.In addition, it was assumed that most servers nor export-grade encryption would offer more. Furthermore, an attacker in case there are still export-grade encryption for the encrypted compound was used must compute a 512-bit RSA key.

Researchers at Microsoft Research and INRIA IMDEA discovered that some modern TLS clients, including Apple's Secure Transport and OpenSSL, contain a vulnerability. Therefore they accept RSA export-grade encryption, even though they did not ask for this. According to Green, this bug has major consequences, since the attacker will connect to downgrade.However, the client in question need to be vulnerable, and the support server export-grade RSA. Contrary to what many people thought was export-grade RSA still in use. 36.7% of the 14 million websites investigated were found to support it.

"We thought that people were using it anymore," said Karthikeyan Bhargavan, a researcher from the French computer lab INRIA opposite the Washington Post . The team Bhargavan discovered the problem during testing of encryption systems.According to Nadia Heninger, a cryptographer at the University of Pennsylvania, we have here is actually a "zombie from the 1990s" to make. Heninger says that she can crack the export-grade encryption through the Amazon Web Services in 7 hours.

The vulnerability was already patched OpenSSL in January this year. Apple would now working on an update next week, and several internet parties are working to export-grade encryption to phase out. Google would now also have rolled out a patch among suppliers. However, it is up to these parties to the Android update to roll out among their users. Android users also get the advice to use a browser other than the one that comes standard.

No comments:

Post a Comment