FREAK can Force MitM Attack

Thursday, March 5, 2015 @ 04:03 PM gHale

A vulnerability in SSL/TLS protocols used on Apple and Android devices to establish a secure connection can fall victim to a man-in-the-middle (MitM) attack to force the use of RSA keys.

The attack, called FREAK (Factoring RSA Export Keys), relies on a now-abandoned policy from 1990 that required weak encryption keys used in software and hardware products.

IE Hole Allows Attackers to Phish
Adobe Flash Zero Day in Exploit Kit
Zero Day Abused in Sony Hack: Report
Sony: Risk Management in Real Time

To achieve this, “export-grade” cryptography ended up implemented in the SSL protocol, which consisted in adding on purpose cipher suites that used easy-to-break keys for the encryption. These ended up marked with the prefix “EXP.”

Attackers ready to intercept traffic exchanged between vulnerable clients and servers (Safari and OpenSSL-based web browsers) could force a downgrade of the strong encryption key used to protect the traffic to a weaker one.

The resulting export-grade RSA key securing the connection is 512-bits large, which used to be strong, but it can now end up decoded in seven hours.

Researchers carried out the test on a cluster of EC2 virtual servers and cost about $100, said Matthew Green, cryptographer and research professor at Johns Hopkins University.

Although the specification no longer sees use, it remains supported in OpenSSL and Apple’s Security Transport, potentially putting at risk the secure connection to HTTPS websites.

The flaw (CVE-2015-0204), discovered by Karthikeyan Bhargavan from INRIA research institute in France and Microsoft Research team, found the websites of U.S. government agencies, such as NSA and FBI, are vulnerable.

A list with vulnerable websites is available, based on their Alexa rank, and the names include domains like,,, Ohio.goc,,,, and

The Akamai cloud platform, also used by NSA’s website, said it patched the flaw on their end and internal traffic (midgress) was no longer vulnerable. However, it warns the risk never ends up removed until clients solve the issue, too.

Researchers said the glitch is exploitable on clients using OpenSSL versions prior to 1.0.1k, on Android Browser and Safari web browser (patch is on the way).

Leave a Reply

You must be logged in to post a comment.