[Cryptography] OPENSSL FREAK

ianG iang at iang.org
Tue Mar 24 19:00:15 EDT 2015

On 24/03/2015 10:26 am, Nikos Mavrogiannopoulos wrote:
> On Tue, 2015-03-24 at 01:12 +0000, ianG wrote:
>> On 23/03/2015 18:11 pm, WebDawg wrote:
>>> I had a question that may seem a bit late but:  why are/were the export
>>> ciphers still put into a current SSL suite?
>> The answer is in parts.
>> 1.  In the 1990s it was believed that cipher agility was a good thing.
>> Everyone had the right to propose their own pet algorithm and get it in
>> there.  (Since then, we've figured out this is a very bad idea...)
> You answer is twisting facts. The export ciphers were not because
> everyone could propose their own pet algorithm. The export ciphers were
> part of the core SSL 3.0 specification. Whether the specification
> allowed its extension beyond the export ciphers is irrelevant. Actually,
> the fact that today we use AES instead of RC4-40 is just because SSL 3.0
> had agility.

He :) well, what you're saying isn't so different, so, I'll move on.

>> 2.  Nobody created a plan, or a protocol, or a ceremony, or anything
>> that actually told us how 1 billion browser users and 1 million server
>> sysadmins would actually ... switch.  So when the time came, the switch
>> couldn't be used, and wasn't relevant.
>> 2.b  And of course, there was no plan/process/ceremony/desire to
>> retire any algorithms.
> Could you please elaborate what you mean here? Several implementations
> switched, and actually disabled the export ciphersuites years ago (in
> gnutls we completely removed support for export ciphers in 2013, and
> even before it was disabled by default).

Right.  Everyone did their own thing.  That's what I mean by the absence 
of a plan.

Have a look at the protocol.  If a HELLO packet arrives, every 
implementation knows what to do.  If a USE AES256 arrives, every node 
knows what to do.

If a SWITCH NOW packet arrives, what would we do?

There is no answer to that.  There isn't even a SWITCH NOW packet...

And, everyone's scratching their heads saying, wait, iang, you looney, 
that makes no sense at all.

Now go helicopter:  There's a mechanism to PUT IN the algorithms and 
CHOOSE the algorithms.  But no mechanism to TAKE THEM OUT, nor to SWITCH.

So obviously, uncontrolled growth was the order of the day, and at the 
micro level, down in the dirt, we get results like this:

> The reason browsers kept the
> export ciphers, is mostly attributed to their strive for 100%
> compatibility with any legacy server out there.

The reason the browsers kept the export ciphers is because they haven't 
got a way to get rid of them *in the legacy servers*.


More information about the cryptography mailing list