A group of researchers in miTLS team have found a new vulnerability in the SSL/TLS protocol. This vulnerability is called FREAK, and it concerns Apple and Android users. The remedy has not been found yet, but decentralized networks on the blockchain model could prevent similar cyber security attacks in the future.
Many cyberattacks are due to single point of failures. Users easily trust and use different services in digital world without being aware of threats and vulnerabilities of these services. One of the most useful and common protocols in internet in which most of the banks and services rely on, is Secure Sockets Layer (SSL) which is known as https by most internet users.
Some of the miTLS team, in a joint project between Microsoft Research and INRIA, have recently found a new vulnerability in SSL/TLS protocol. This protocol establishes a secure connection between client and server by generating a private and public key pair for clients after a few handshakes between client and server which involves sending and receiving a few messages between the two parties. Meanwhile if there is an attacker intercepting this communication channel, the attacker is able to initiate different attacks. These attacks are categorized as man-in-the-middle-attacks in computer networks.
In SSL the generated key should be large enough to make it almost impossible for hackers to break and find the key. Thus it is normally uses a 2048 bits key size. However there is an encryption suites called “export-grade” that some servers use which involves keys no more than 512 bits size. This suite was actually implemented in 1990s when US government banned selling cryptographic software overseas unless it used the export-grade suite, presumed to be breakable by NSA.
The miTLS team, after analyzing different attack scenarios on different servers, realized that many servers accept export-grade RSA in their implementation. Some clients use a reduced implementation of SSL/TLS in their handshake process such as OpenSSL and Apple’s Secure Transport which makes them vulnerable to these man in the middle attacks. In these situations, an adversary can get the client’s request to the server and send the server a request for export-grade keys. After they receive the keys they can start breaking the keys on their own PC, which roughly takes 2 weeks. Faster versions could use services such as Amazon’s cloud service to break the key, which would take only a few hours.
This vulnerability in SSL/TLS protocol is called “FREAK”, which stands for Factoring RSA Export Apple and Android Keys. Apple announced that they are going to fix this issue in their next patch, but Android users should rely on their service providers, as there is no patch to be released by Google about this matter just yet. Microsoft also said that its implementation of SSL/TLS in all versions of Windows is vulnerable to this attack.
The technical description about the attack is written in the upcoming research draft paper to be presented at IEEE Security and Privacy 2015. Users can use this link to test any website and find whether out whether the website is vulnerable to FREAK attacks or not.
Man-in-the-middle attacks are a common scenario, and a powerful attack on any client. An adversary impersonates both parties in the communication and eavesdrops on all messages, making both parties believe that they are communicating with each other while the adversary manipulates them both. This is a common attack however, and there are some measures you can take as precaution.
Bitcoin has a perfect solution for these scenarios with its blockchain technology. A ledger that is kept by all the parties that can store different information. Would this man-in-the-middle attack on SSL happen if clients had all the records of a server in a distributed ledger like we have in Bitcoin? Obviously the client could have easily noticed that someone was impersonating the server, and therefore he could terminate the communication. Distributed, decentralized networks with the blockchain model have so much to offer, and could help prevent many similar cyber security attacks.
Did you enjoy this article? You may also be interested in reading these ones:
- Internet-Wide SSLv3 Vulnerability Exposed: Google and BitMEX Offer Fixes
- OpalCoin Developer: Hacker Used Fake-Wallet Attack to Steal 17% of Supply
- Blockchain Technology Could Have Prevented Louisiana’s Deadly Bacteria Leak