FREAK — Factoring RSA Export Keys — is yesterday's news in cryptographic terms but very much today's news in operational ones. The disclosure paper from the smacktls.com group (State Machine AttacKs, smacktls.com) describes a downgrade attack against TLS clients that retain support for export-grade RSA ciphersuites. An attacker in a position to modify TLS handshakes can convince a vulnerable client to accept a 512-bit RSA ephemeral key from the server, factor that key in a few hours of cloud compute, and then either decrypt the session or forge subsequent ones.
The CVE assignments are CVE-2015-0204 against OpenSSL (cve.mitre.org/CVE-2015-0204) and CVE-2015-1067 against Apple's Secure Transport. Microsoft's Schannel was confirmed vulnerable on Tuesday (Microsoft Security Advisory 3046015), affecting Internet Explorer on Windows. Chrome and Firefox on the affected platforms inherited the issue. Mike Adkins' tracker (freakattack.com) is producing the best running list of affected sites; this morning's count is something north of a third of HTTPS-enabled servers in the Alexa top million still offering an export ciphersuite, which is a remarkable number.
The history is the part of the story that needs telling. Export-grade ciphersuites exist because of US export controls in the 1990s — the Wassenaar arrangement and the antecedent EAR provisions classified strong cryptography as munitions and prohibited export of TLS implementations using key sizes greater than forty-bit symmetric or 512-bit RSA. The "international" versions of Netscape Navigator and Internet Explorer in 1996-97 shipped with these export ciphersuites. The export controls were substantially relaxed in 1999 and effectively dropped in 2000. The export ciphersuites, however, remained in TLS specifications and in implementations, on the principle that legacy compatibility is cheap and removal is expensive. They are the cryptographic equivalent of asbestos in a 1970s ceiling tile — installed under different rules, harmless if not disturbed, dangerous when the ceiling comes down.
FREAK is the ceiling coming down. The attack works because the client and server can be convinced, mid-handshake, to negotiate an export ciphersuite even when neither would normally select one. The client says "I support RSA". The server, if it has an export RSA key, may offer the export key. A man-in-the-middle, by altering the ServerHello, can force the offer. Once the client accepts the export key, the 512-bit RSA factoring is the work of a few hours on commodity cloud capacity — the original paper estimates roughly seven hours and a hundred dollars on EC2.
For penetration testers and SOC engineers there are immediate things to do. Test all customer TLS endpoints for export ciphersuite support; the SSL Labs scanner (ssllabs.com/ssltest) flags this directly. Disable export ciphersuites on every server we administer — the OpenSSL configuration to remove them is well-documented; the !EXPORT cipher list directive does the work. Verify that the disablement has propagated through load balancers, reverse proxies, and any TLS-terminating intermediary; the export ciphersuite often persists in a cached or pinned configuration on the device closest to the client. Update OpenSSL, IIS, and Java endpoints with the patches from Tuesday's release cycle.
For vCISO clients with major HTTPS-fronted services, there is also a board-level conversation. The Towry trading platform refresh I mentioned in January is now going to include an explicit "no export-grade or weak RSA ciphersuites" requirement in the vendor scoring sheet. The Browne Jacobson IT team is doing the same audit across their public services and will be contacting their hosted-application vendors this week. Northcott's TLS estate is small enough that we have already finished the sweep — clean.
The structural thing FREAK reminds me of is the long lifespan of bad decisions in cryptographic ecosystems. The export controls were a policy of the early Clinton administration. They are the proximate cause of a vulnerability disclosed in 2015 affecting hundreds of thousands of servers. Heartbleed (April 2014) had a similar shape — a bug introduced in a 2011 codepath that nobody had cause to revisit. POODLE (October 2014) was about SSL 3.0, a protocol from 1996 that should have been retired a decade before it was attacked. FREAK is about ciphersuites from the same era. There is a generation of decisions in TLS that need to be unmade, and the unmaking is happening one disclosure at a time.
I keep a list of things I want to write about properly when there is time. The export-control history of TLS is moving up that list.