Continuing with the trend initiated during 2014, new vulnerabilities associated with the protocol SSL/TLS are being published with relative frequency, a protocol which is habitually used as a mechanism to guarantee communication confidentiality in Internet.
One of the latest vulnerabilities to be discovered at the beginning of last March is the so called "FREAK" (Factoring attack on RSA-EXPORT Keys):
- FREAK, the vulnerability which allows the reduction of security measures
- Vulnerability in all Microsoft Windows products
The FREAK vulnerability takes advantage of certain deficiencies in clients and vulnerable servers, which allow an attacker who intercepts communications to force these to operate using a weaker code than the one initially established. This weaker cryptographic algorithm can be deciphered, thereby giving access to the transmitted information.
It is important to state that, in this case, in order to carry out the attack the following conditions are necessary:
- Identify a vulnerable client.
- Identify a vulnerable web server.
- Carry out a "Man-in-the-middle" attack between client and server.
Even when the previous conditions are present, it is still necessary to break the password of the weak code (which can take weeks, depending on the hardware resources available to the attacker), and access to the information will only be available while the server does not generate a new one, therefore, in practice, the impact of this vulnerability is more or less limited.
Regarding clients, the majority of web browser manufacturers have facilitated updates that solve this vulnerability. It is possible to check if a browser is vulnerable by accessing different web based resources, for example:
As for servers, in order to know the potential impact on Spanish domains it is interesting to understand the degree of exposure the .es domain websites have to this vulnerability, as well as updating the information on other vulnerabilities related to SSL that were published in INCIBE’s blog at the end of last year.
Degree of exposure of Spanish domain webs
The global data on .es domain web exposure to some of the analyzed vulnerabilities has practically remained stable:
In spite of observing a slight increase in the percentage of webs that use SSL, the percentage of webs affected by any of the four vulnerabilities analyzed (Heartbleed, Poodle, WinShock and FREAK) has remained more or less stable.
Even though in global terms the percentage of webs affected was already low, a slight reduction can be observed despite the incorporation of FREAK, which, as can be observed in the following graph, has a very limited presence:
Comparatively, the proportion of appearances of Heartbleed and WinShock has diminished (-0.087 % and -0.11 %, respectively), whereas Poodle has increased significantly (+0.090 %), though it is necessary to bear in mind that the initial value was very low. FREAK’s presence is residual; having the lowest percentage of the four vulnerabilities despite being the most recent (only 0.026 % affected).
The level of incidence of these vulnerabilities in Spain continues to be low (less than 2 %), with a slight decrease in some of the known vulnerabilities and, surprisingly, an increase in the case of Poodle (inherent to SSL 3.0).
SSL’s weaknesses together with the global trend towards the coding of communications create the possibility for the development of new vulnerabilities associated with these cryptographic algorithms. Due to this, it is probable that industry will use increasingly safe protocols such as TLS, given that SSL 3.0 does not fulfil the minimal safety requirements.
As always, the CERT of Security and Industry operated by INCIBE recommends maintaining all products updated and to apply good practices within system configurations, in order to avoid being affected by these vulnerabilities and others that could appear in the future.