Users of Android, iOS and Safari on OS X are vulnerable to a newly found bug in SSL implementations. It is a backdoor that is built in by the US government and can be abused. An attacker can force a lower level of encryption.
In the 1990s, the US government banned companies from offering strong encryption outside the United States. As a result, RSA encryption keys abroad were not allowed to be more than 512bit, for example, so that the American secret services could crack the communication relatively easily. That has not been the case for years now, but the backdoor still appears to be misused, researchers from the French research institute Inria and Microsoft Research have discovered.
Support for the lower level of security still appears to be present in Chrome’s ssl stack on Android. iOS phones are also vulnerable, as is Safari on OS X. BlackBerry 10 is also said to be vulnerable, as are some versions of Internet Explorer on Windows Phone. The desktop version of Chrome is not vulnerable, as are Firefox and Internet Explorer.
The vulnerability appears to have been present for years, but has remained underexposed for years. When creating an ssl connection, the vulnerable browsers do not actively request this lower level of security, but a server can request it. An attacker could pose as a server and force the lower level of security. In that case, the key of only 512bit will be accepted without warning.
Rsa 512-bit keys are relatively easy to crack: according to cryptographer Matthew Green of Johns Hopkins University, an attacker can use Amazon’s EC2 service, for example. It takes about one hundred dollars and 7.5 hours of time to crack one certificate. Although only one certificate is then cracked, in practice the same certificate is often served to several visitors by a website. For example, by default Apache creates a new certificate on server startup, which is served to all visitors.
An attacker would still need to perform a man-in-the-middle attack before exploiting the vulnerability. To do this, he must have control over a victim’s connection, for example by setting up a fake Wi-Fi hotspot. Also, websites must have support for the 512bit rsa keys; a scan from the University of Michigan shows that more than a third of websites have it. These included the FBI and White House websites, which have since been patched. The NSA’s website is still susceptible to the attack.
Users can see if their device is susceptible to the attack on the FreakAttack.com website. The bug is present in Apple’s SecureTransport and OpenSSL, which is used in Android. Apple has already indicated that it wants to roll out an update next week. OpenSSL is already patched. The beta of Chrome for Android already has a patch on board.
Privacy activists say the bug is an example of how a government backdoor could make users less secure. They have been arguing against such backdoors for some time now. “We see that issues like this eventually affect all users,” privacy activist Cristopher Soghoian of the American Civil Liberties Union told The Washington Post.
Last year, many serious security vulnerabilities in ssl and ssl implementations came to light. Among them was HeartBleed, which attackers could use to read the internal memory of a server with OpenSSL. Researchers at Google also found a vulnerability in SSL 3.0, which made it possible for cookies to be intercepted with javascript, for example.