For SSL, already reeling from the impact of myriads of security attacks, FREAK could well sound the death knell
A vulnerability discovered recently could prove to be the final nail in SSL’s (Secure Socket Layer) coffin. The latest vulnerability to hit SSL, called ‘Factoring attack on RSA-EXPORT Keys’ (or FREAK), is claims to breach as many as 36 percent of all websites trusted by browsers. According to reports, several highly-ranked websites, including the likes of FBI and NSA, are vulnerable to the flaw.
Microsoft has confirmed that all versions of Windows, which have the implementation of SSL/TLS, are vulnerable to FREAK. This implies that if an enterprise is using Windows operating system, an attack on the network can force all software that uses the Windows Secure Channel component to install weak encryption on the Internet.
Although widely adopted, SSL has had a chequered history. Discovered as a means to enable secure transmission between two points, SSL was quickly adopted by the industry to ensure secure data transmission. However, SSL was continually bogged down by vulnerabilities.
SSL 2.0 was open to length extension attacks, had no protection for the handshake, and was vulnerable to truncation attacks. When 2.0 version gave way to SSL 3.0, that too had several flaws.
In October 2014, researchers from Google identified a flaw in the design of SSL 3.0, which exposed it to a padding attack. Called POODLE, (an acronym for Padding Oracle On Downgraded Legacy Encryption), the attack required only 256 SSL requests to disclose one byte of encrypted information. It was also at the receiving end of Heartbleed bug.
Given the large number of flaws in SSL, the PCI SSC (Payment Card Industry Security Standards Council) recently came out with a special bulletin that called for imminent amendments to the PA-DSS (Payment Application Data Security Standard) and PCI DSS (Payment Card Industry Data Security Standard). The bulleting warned the payment card industry members that SSL could no longer be relied upon for data protection.
To overcome the shortcomings of SSL, a new protocol called Transport Layer Security (TLS) has come to the fore. Based on open standard, it is not only more extensible but also ensures support in the future. Also, TLS is scalable enough to secure connections on client’s side that have only SSL.
The bottom line is that enterprise information technology practitioners can no longer bank on SSL 3.0 for ensuring privacy and protection of your data. It is time you ensured that your websites and browsers moved away from SSL to leverage more modern and state-of-the-art security protocols like TLS.
Meanwhile, to counter FREAK, OpenSSL has published a patch. Other vendors too are in the midst of issuing patches for plugging the vulnerability.