[Cryptography] FREAK attack

Michael Kjörling michael at kjorling.se
Thu Mar 5 07:06:06 EST 2015 

On 5 Mar 2015 08:23 +1100, from dave at horsfall.org (Dave Horsfall):
> I took the liberty of forwarding this to a geek list, and a bod who runs 
> security at a University department responded thus:
> 
>> Sounds some what theoretical. Given the existence of certificates
>> that allow corporate proxy servers to 'inspect' SSL traffic, the
>> moment you are in a position to mount a MITM you don't need to mess
>> with tricking the two ends to reduce their security level - as you
>> have access to the clear text in the middle.

Um -- no. An easy way to MITM someone is to set up an open access
wireless network with a tempting name (this gets demonstrated every
now and then in practice, sometimes even in environments where people
_should_ be security-conscious), and on it, intercept all DNS traffic
and modify it appropriately (or reply with your own canned responses
in a mixed authoritative/caching/modifying DNS setup). This works
especially well if you are just looking to MITM "anyone", as opposed
to "this individual in particular" which may take some more effort.

In such a scenario, the MITM'er still don't have access to the plain
text of encrypted communications, but _can_ intercept the vast
majority of outgoing connections (anything that relies on DNS and,
possibly, DNS not secured using DNSSEC). That'd normally, given
certificate pinning and similar technologies (which means you can't
easily MITM the TLS cryptography itself), give you a dump of the
encrypted transport stream, which supposedly is difficult to decrypt.
But given that you can _also_ intercept the SSL/TLS _handshake_ and
modify it to trick the parties into using easily breakable crypto, you
_significantly_ lower the bar for a successful breach of
confidentiality.

Corporate SSL MITM'ing is different among other reasons because in
such an environment you control at least one of the endpoints -- the
client -- in addition to the middle point (the one doing the MITM),
allowing establishing trust between the client and the MITM.

-- 
Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)

More information about the cryptography mailing list