[Cryptography] FREAK attack
ianG
iang at iang.org
Wed Mar 4 20:40:17 EST 2015
On 4/03/2015 09:18 am, Jerry Leichter wrote:
> Latest attack on SSL, affecting some huge percentage of both servers and clients: https://freakattack.com/
>
> Remember all those export modes for SSL that we had to live with two decades ago? Well, it turns out they are still present in at least two code bases (OpenSSL and Apple's SSL implementation), though they aren't offered to the peer. However, if you MITM the connection and simply tell both ends to use export RSA (512 bit=) - due to bad checking, they will.
>
> Lessons to learn:
>
> 1. Modes and choices are bad in crypto protocols.
> 2. Leaving holes to let "good governments" in will inevitably leave holes for others as well.
> 3. In code, assume nothing ever really goes away.
>
> Not, I'm sure, that anyone on this list needs persuading. But this needs to be repeated, over and over again, so that even non-crypies - and even non-techies - come to internalize it.
Hear hear, singing to the choir and all that.
But battle is still raging with the IETF groups, who should be crypies
and techies.
Two reasons have been advanced as to why they think there should be
'choice' in cryptographic protocols.
Firstly, for backup in case of the primary suite's failure. I find this
difficult to deal with because nobody there has a plan or view on how
the 'backup' is to be deployed. And nor has deployment actually worked
out well for us, it's pretty much all required "re-install".
Also, the notion that a well-written modern suite would suddenly spring
a leak is just not matched in history. In practice, as today's attack
shows, the breach is typically contributed by the presence of multiple
suites, not their absence. Today's breach, entirely due.
Secondly, the notion that is advanced is that countries are sufficiently
wise & advanced to demand their own suites, their own secure net as it
were. This is the GOST argument.
I just don't understand the temptation to listen to this. We've now got
revelations that the local big state has slid in bad RNGs, financed bad
patches, caught intercepting fedexes with critical hardware, runs a
complete shadow interception network, and engages in cyber-destruction
of industrial equipment. And, we want to give states the ability to
change our crypto? Huh?
I think this debate will rumble on, but we will have to face these
arguments head-on and battle through them. Until we win the argument,
IETF will continue to create and push out standard protocols with
weaknesses built in, and industry will continue to pay for this folly.
iang
More information about the cryptography
mailing list