[Cryptography] FREAK attack

ianG iang at iang.org
Wed Mar 4 20:40:17 EST 2015 

On 4/03/2015 09:18 am, Jerry Leichter wrote:
> Latest attack on SSL, affecting some huge percentage of both servers and clients:  https://freakattack.com/
>
> Remember all those export modes for SSL that we had to live with two decades ago?  Well, it turns out they are still present in at least two code bases (OpenSSL and Apple's SSL implementation), though they aren't offered to the peer.  However, if you MITM the connection and simply tell both ends to use export RSA (512 bit=) - due to bad checking, they will.
>
> Lessons to learn:
>
> 1.  Modes and choices are bad in crypto protocols.
> 2.  Leaving holes to let "good governments" in will inevitably leave holes for others as well.
> 3.  In code, assume nothing ever really goes away.
>
> Not, I'm sure, that anyone on this list needs persuading.  But this needs to be repeated, over and over again, so that even non-crypies - and even non-techies - come to internalize it.


Hear hear, singing to the choir and all that.

But battle is still raging with the IETF groups, who should be crypies 
and techies.

Two reasons have been advanced as to why they think there should be 
'choice' in cryptographic protocols.

Firstly, for backup in case of the primary suite's failure.  I find this 
difficult to deal with because nobody there has a plan or view on how 
the 'backup' is to be deployed.  And nor has deployment actually worked 
out well for us, it's pretty much all required "re-install".

Also, the notion that a well-written modern suite would suddenly spring 
a leak is just not matched in history.  In practice, as today's attack 
shows, the breach is typically contributed by the presence of multiple 
suites, not their absence.  Today's breach, entirely due.



Secondly, the notion that is advanced is that countries are sufficiently 
wise & advanced to demand their own suites, their own secure net as it 
were.  This is the GOST argument.

I just don't understand the temptation to listen to this.  We've now got 
revelations that the local big state has slid in bad RNGs, financed bad 
patches, caught intercepting fedexes with critical hardware, runs a 
complete shadow interception network, and engages in cyber-destruction 
of industrial equipment.  And, we want to give states the ability to 
change our crypto?  Huh?



I think this debate will rumble on, but we will have to face these 
arguments head-on and battle through them.  Until we win the argument, 
IETF will continue to create and push out standard protocols with 
weaknesses built in, and industry will continue to pay for this folly.



iang

More information about the cryptography mailing list