The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
Symantec Freak Vulnerability Infographic
1. @threatintel | www.symantec.com
#FREAK
FREAK TARGETS WEAK CRYPTO
LATEST SSL VULNERABILITY ENABLES ATTACKS AGAINST SOME
SECURE CONNECTIONS
CLIENT
PRECAUTIONS
User: Use non-vulnerable browser (Chrome, Firefox)
Admin: Disable support for weak cipher suites such as export
grade encryption
REMEMBER TO UPGRADE SOFTWARE WHEN PATCHES BECOME AVAILABLE
SOME BROWSERS
CAN BE FORCED
TO USE WEAK
EXPORT GRADE
KEYS
MAN-IN-THE-MIDDLE ATTACK
FORCE DOWNGRADE ENCRYPTION FROM
STRONG TO EXPORT GRADE (<= 512 BIT)
EXPORT GRADE ENCRYPTION <= 512 BIT KEYS
512 BIT TOO WEAK
7 HOURS
IS ALL IT TAKES TO
CRACK A 512 BIT
ENCRYPTION KEY
(Using < 100 typical PC’s)
TIMELINE OF SSL/TLS INSECURITY
1990s
512 bit export grade encryption key size was considered acceptable
for public use but still allowed governments to decrypt
communications if needed.
2000s (EARLY)
Relaxation of controls on non-military grade cryptography.
1024 bit keys widely used and considered safe.
2013
Certificate Authority/Browser Forum increases the key size for Root
CA certs. Baseline requirements jump from 1024 bits to 2048 bits.
This should provide security headroom…for a while.
2014
• HEARTBLEED – SSL information leak vulnerability affecting many
SSL implementations.
• POODLE – SSL encryption downgrade dance can allow attackers
to force weaker encryption on SSL connections which can then
be cracked/hijacked.
• FREAK – Discovery of FREAK vulnerability, affecting many server
implementations and browsers, could allow for multiple attack
scenarios.
SOME SERVERS
STILL SUPPORT
EXPORT GRADE
CIPHER SUITES
SERVER
RAPIDLY INCREASING PROCESSING
POWER MEANS WHAT WAS
CONSIDERED SECURE IN THE 90s IS
NO LONGER SECURE NOW
MOORE’S LAW
Sources:
https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status
https://www.cabforum.org/wp-content/uploads/Baseline_Requirements_V1.pdf
http://www.symantec.com/connect/blogs/heartbleed-bug-poses-serious-threat-unpatched-servers
http://www.symantec.com/connect/blogs/poodle-vulnerability-old-version-ssl-represents-new-threat