As of March 3rd 2015 it was announced a new SSL/TLS vulnerability that allows an attacker(s) to intercept HTTPS. As the “End User” connects to a server “Freak Attack” stops the user connections in its tracks before it reaches the server having the user believe they have reached the site only to be asked to use a weakened encryption. The “Freak Attack” site is dedicated to tracking the impact of the attack on the user on whether or not their encryption is weak.
Two days later, Microsoft releases an executive summary “Microsoft Security Advisory 3046015” stating that they are aware of the vulnerability in secure(Schannel) in which Schannel is supported by all MS Windows but goes on to say “Freak Attack” is an industry wide issue and doesn’t stop with just windows specific operating systems.
This is scary stuff. That is if you understood half of what you just read. Lets try to understand this and see how this applies to everyday people like us. Upon reading this there are some words or phrases that stand out that you may not be familiar with.
What is SSL/TLS?
What is HTTPS?
What is encryption?
What is Schannel?
And who are these “End Users” they speak of?!
SSL and TLS are networking acronyms that stand for SSL(Secure Sockets Layer) and TLS(Transport Layer Security). They are security protocols which allow you and me to send data over the web but not just any data but sensitive data. This data is sent most commonly by using a web browser (Internet Explorer, Google Chrome and everyones favorite FoxFire! No, its actually Firefox).
Usernames, passwords and all types of info floating around the web. SSL and TLS work together in keeping that info safe. So, how can you tell if SSL and TLS are working? Let’s use Internet Explorer. You will notice at the very top address bar, you’ll see a URL starting with “http”. When connecting to secure sites SSL or TLS will replace “http” with “https”. I bet you’re thinking what’s happening?
1) That the certificate comes from a trusted party;
2) That the certificate is currently valid;
3) That the certificate has a relationship with the site from which it’s coming.
HTTPS or (Hypertext Transfer Protocol)also works with SSL/TLS. HTTPS was first developed specifically for some sort of payment transaction over the internet, e-mail and sensitive corporate information systems. HTTPS was a big deal back then and still is now, it plays a bigger role and isn’t privatized like it was. HTTPS now signals the browser to initiate SSL/TLS. HTTPS is like a warning to the browser saying ” Hey! Get ready, I got some very important stuff coming your way!”
Encryption is a process of encoding messages and information using an algorithm. Imagine a bubble with your information inside of it and on the outside of the bubble you see a series of numbers and letters constantly revolving around it. Those numbers and letters help hide what’s inside the bubble. The only one that can see inside the bubble is the intended recipient.
Secure Channel (Schannel)
The Secure Channel (Schannel) security package is a Security Support Provider (SSP) that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols. These components are used to implement a secure communications in support of several common internet and network applications, such as web browsing. Schannel is part of the security package that helps provide an authentication service to provide secure communications between client and server. On top of HTTPS, SSL and TLS Schannel is another layer of security. Which is AWESOME!
Lets get back to Freak Attack otherwise known as a “Factoring Attack” on RSA-Export keys. Who are these attackers?! Anyone can be an attacker. It’s been speculated that the attackers are employees working at an ISP but not confirmed. One could see why an employee working for an ISP could do this. ISP employees are the most knowledgeable about browsers, simple networking and security. The meat and potatoes of FREAK ATTACK is a site that will allow anyone willing to sit around for hours mulling over data traffic. Waiting for an opportunity to inject malicious packets between an unsuspecting “End User” and their destination. In which their browser will be forced to use a weak 512-bit encryption key. That’s the test! The weak 512-bit encryption is the test to check vulnerability. If successful the attacker can then read or manipulate the data between the “end user” and the intended site. Let’s keep in mind that a lot of these vulnerable sites probably haven’t been updated in a while or are not used anymore. Which some may argue that people should not be FREAKING OUT over FREAK ATTACK. Maybe, but its the internet and if its not secured, anything goes, and you should be concerned.
***** Warning! Your Browser is vulnerable to the Freak Attack. It can be tricked into using encryption if you visit a vulnerable website. We encourage you to update your browser right away**********
Microsoft has NOT released a security update just yet, but offered a workaround.
Disable RSA key exchange ciphers using the Group Policy Object Editor (Windows Vista and later systems only)
You can disable the RSA key exchange ciphers in Windows Vista and later systems by modifying the SSL Cipher Suite order in the Group Policy Object Editor.
To disable the RSA key exchange ciphers you have to specify the ciphers that Windows should use by performing the following steps:
At a command prompt, type gpedit.msc and press Enter to start the Group Policy Object Editor.
Expand Computer Configuration, Administrative Templates, Network, and then click SSL Configuration Settings.
Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
In the SSL Cipher Suite Order pane, scroll to the bottom of the pane.
Follow the instructions labeled How to modify this setting, and enter the following cipher list:
Then click “OK”. What!? If you’re not familiar with a PC and you use it to check Facebook, emails and maybe read the news. Click “OK” was probably the only thing you understood here.
Don’t worry, you’re not alone.
As of today, well last Thursday. Google fired off updated versions of Chrome for PC and MAC but Chrome for Android is still waiting.
Here are a few sites that have been reported vulnerable:
Those are the ones that have been reported the list will probably grow.
Also Microsoft provided a list:
This advisory discusses the following software.
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2012
Windows Server 2012 R2
Windows RT 8.1
Server Core installation option
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2 (Server Core installation)
Should you be concerned? I wouldn’t take any chances, be concerned and learn more. If you would like help checking to make sure your computer and browsers are up to date, click in the chat box on the bottom right of your screen or call 844-818-3415 and one of our Technology Pro’s are more than happy to help you.
By the way. The “End User” is you.