FREAK attack: How to keep your code secure

This legacy backdoor still exists in a quarter to a third of all deployed web servers

Bill Weinberg, Senior Director, Open Source Strategy, Black Duck Software

Remember the 1990s, when the Netscape browser was all the rage and Secure Socket Layer (SSL) encryption was a brand-new idea? Back then, the U.S. government wanted to control the export of "weapons grade" encryption. Its theory was that domestic communications could benefit from stronger, 128-bit encryption, but "backdoors" should be available to U.S. intelligence and law enforcement when it came to foreign communications. Thus, the concept of weaker, "export grade" encryption was born.

Fast forward to 2015 and it turns out that this legacy backdoor, a vulnerability that we've come to know as "The FREAK Attack," still exists in anywhere from a quarter to a third of all deployed web servers. It's a sad example of how zombie security holes from the era of grunge fashion can return to bite us. The question is: what to do now and how can you ensure your code is safe?

Here's the lowdown: FREAK appears to impact code from the OpenSSL project (as Heartbleed did last year). It appears that different browsers are affected differently: Safari and most Android-native browsers are vulnerable, but Chrome is not. These web clients all build on open source but make use of different versions of OpenSSL and employ different web application tool kits (Apple says it is preparing a patch).

The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use the weaker export-grade encryption, which can then be decrypted or altered. Many Google and Apple devices are potentially affected, along with embedded systems. FREAK was originally discovered by researchers at INRIA, a computer science research organization headquartered in Paris.

Computer scientists at the University of Michigan are maintaining a site that details the history of the attack and provides useful tips on remediation. Here's what they recommend:

"If you run a web server, you should disable support for any export suites. However, instead of simply excluding RSA export cipher suites, we encourage administrators to disable support for all known insecure ciphers (e.g., there are export cipher suites protocols other than RSA) and enable forward secrecy. Mozilla has published a guide and SSL Configuration Generator, which will generate known good configurations for common servers. You can check whether your site is vulnerable using the SSL Labs' SSL Server Test."

With additional web server fixes expected from a number of vendors, it appears the FREAK Attack story is far from over. It's a useful reminder that a lot of legacy code, while largely vanished from memory, isn't forgotten when it comes to the systems we continue to use every day.

Join the CSO newsletter!

Error: Please check your email address.

Tags Black Duck Softwaresecurityapplication securityAccess control and authenticationweb security

More about AppleBillGoogleMozillaRSASocket

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Bill Weinberg, Senior Director, Open Source Strategy, Black Duck Software

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts