FREAK flags are waving across the digital landscape, now that another SSL bug has appeared. Jack Wallen offers up his take on the latest flaw and how you can test your servers against the vulnerability.
Secure-Socket Layer (SSL) was supposed to be the end-all encryption routine that would be the dawn of a more secure digital age. After all, NSA had their hands in it — so, naturally, it was to be trusted.
Fast forward a decade or two, and SSL has suffered its share of near catastrophic flaws. And just when we thought those flaws were a thing of the past, enter FREAK — Factoring attack on RSA-EXPORT Key. The gist of this new flaw is this: You use either Safari or the Android build-in browser, and when visiting sites from certain countries, weaker encryption is used (here is a list of FREAK attack sites) and your browser can be compromised. For example: A malicious server can skip TLS altogether: it can pretend to be any server and exchange plaintext data with the client.
The immediate fix is to use either Firefox or Chrome — or if your client (browser) uses the latest version of OpenSSL, you're safe.
If you want to find out if your server is vulnerable, issue this command:
openssl s_client -connect www.DOMAIN.com:443 -cipher EXPORT
Where DOMAIN is the domain or IP of the server to test. If you see handshake failure in the output, your server is safe. If you don't see that in the output, update OpenSSL immediately. You can also use this site to check your servers for the FREAK vulnerability.
Okay, this is all fine and good. It's yet another example of how modern, complex approaches to the digital age can poke holes in just about anything it wants, and the only way you are truly safe from exploits, bugs, and flaws is to go off the grid and never touch a computer again.
All your security are belong to NO ONE.
The more we know about technology, the more frightening things can get. The more we look backwards or forwards, the more realistic the singularity can get. But the truth of the matter is — these "fatal flaws" found in open-source software (such as found in OpenSSL) are almost always immediately patched. There will be more holes, and various media outlets will continue to raise their own FREAK flag, high in hopes of scaring up a bit of drama.
Again, simple fix — use Firefox or Chrome. Disaster averted.
Until the next hole shows up (and it will). That's how we work now. I could type this sentence and someone would manage to find a flaw within the warp and weft of the words to claim it disastrous. Shortly thereafter, an editor would swing by, fix the flaw, and call out to the world the day has been saved.
When these things happen within the realm of open source, many people are quick to point the finger of shame at FOSS and cry out that open source is less secure and reliable than proprietary solutions. But the truth of the matter is this — all systems and all code can (and eventually will) be compromised. It's just a matter of the right person looking for the right thing at the right time. No matter if your software is open or closed — the flaws are there. The age-old debate about the Linux kernel vs. the Windows kernel — proving one is more secure and reliable than the other — isn't a matter of saying "My Linux system has an uptime of 7,000 days!" or "Microsoft has a market share chokehold, and IT pros know better than to deploy open-source systems in production environments."
The idea of absolute security is a myth. However, the ideal of patching the flaws as they arrive is not... and open source wins that hands down. As far as FREAK is concerned, the latest release of OpenSSL has the FREAK flaw fixed.
Apple, on the other hand, is still working on a fix for the issue.
Do you ever consider patch times when contemplating the choice between open- and closed-source software? If not, what is the major deciding factor? Let us know in the discussion thread below.