Friday, March 13, 2015

Are you FREAKed out yet?

So maybe you heard about the latest round of security nightmares that plague what everyone thought was secure web traffic.

A few months back it was a serious security flaw in OpenSSL known as HeartBleed that sent webmasters scrambling.  Then came a left field sucker punch when it was discovered that all an attacker needed to do to compromise your entire server (not just a website) was to insert some code that a BASH prompt would respond to. 

Encryption be damned if you have root access to the server!

Which brings us to the latest security gaffe, otherwise known as a Freak attack...

This one has its roots in the earliest implementations of web security.  Back in the days when the U.S. government was so paranoid about not being able to clandestinely snoop on your encrypted communications that they enforced a ban on strong encryption ( aka: stuff they couldn't break.) It was deemed "export-grade" encryption which was just a fancy name for "weak."

They did it by forcing SSL to downgrade its encryption bit strength when traffic left the U.S. thus allowing easy surveillance of all "suspicious" (meaning all) traffic.

Well, as we know from the Snowden leaks there's not much need to worry about borders anymore.  The U.S. has monitoring bases worldwide now.  Besides, the juicy fruit of of the spy game is gathered from far less hardened sources these days.  Just bug a German chancellor's phone and you've got all the dirt you need on the EU.

But let's get back to the problem at hand. 

There are still remnants of this "backdoor" in SSL and because of it millions of websites are vulnerable to compromise using relatively simple "man in the middle" attacks that utilize the facilities of weak encryption still present in SSL implementations.

The worst part is that the problem exists on both the client (aka: your browser) and server sides.  A compromised client and a compromised server are a marriage made in heaven. 

So what's the solution?  Pretty much the same as always.  Keep abreast of security news and patch, patch, patch!  Which is why there were so many Internet Explorer security patches this week.  Open SSL will have a patch available too.

If you'd like to dig a little deeper the following site will let you test both your browser and your favorite SSL secured websites.

Do it now.
Post a Comment