In response to the news around the FREAK flaw, which, for more than a decade, left users of Apple and Google devices vulnerable to hacking when they visited millions of supposedly secure web sites, Phil Lieberman, CEO of Lieberman Software Corporation writes:
“The FREAK flaw is an attack technique the allows for feasible decryption of SSL keys in hours (and ultimately recorded data on the secure web session) using a man-in-the-middle proxy to trick a web server to use weak encryption rather than the strongest available for the client browser. The technique could be used to decrypt users name and passwords as well as other sensitive that users may think is protected by SSL.
The vulnerability (as it is called) is simply a known negotiation mode of web browsers and web servers that allow the web servers to downgrade encryption until the client is capable of making a connection. This was originally designed to handle a USA restriction in allowing the export of strong encryption keys/technology (the ban has been lifted for many years). For very old browsers and embedded systems, the downgrade to the lowest encryption may still have value.
FREAK is more or less a hypothetical threat based on a series of very unusual conditions that are unlikely to affect most users of the Internet. The attack also requires a sophisticated attacker with a set of tools and technology not in common use. The attack is very difficult to set up and is the realm of state-sponsored physical intrusion of your Internet connection or your WiFi connection. The mechanism described is a valid methodology, but it depends on physical compromise of your connection and a series of luck coincidences like you running the right browser and hitting the right web sites (for now). Microsoft Windows Server environments of recent vintage with up-do-date patches seem immune to the problem, but many open-source based embedded systems with web interfaces and general open source web servers using older versions of OpenSSL will be in for another round of unpleasant patching.
FREAK is a low probability threat, so little needs to be done. If customers are running web sites or embedded systems that they believe might be compromised by nation states using this technique, they will need to upgrade their web servers to use a more modern version of OpenSSL. Similarly, customers may want to also update their browsers to versions that disallow use of “weak” encryption.
Heartbleed was a serious and prevalent flaw that affected most users interacting with open source based web servers. Heartbleed was a “you must patch” scenario for Internet facing sites. FREAK is an interesting technique, but it should not keep anybody awake at night unless their Internet connection is tapped or are using WiFi without encryption and authentication (open access points).”