Mailing List Archive

TLS Freak Bug - Relax
Hi everybody — who might be concerned ….

The TLS Freak bug (discovered by https://www.smacktls.com/) employs a man-in-the-middle-attack (MiTM) which may be successful under those conditions:

- a TLS-enabeld client or server not obeying the required state changes in the TLS protocol (ie. JSSE),
- a TLS-enabled client (i.e. a Web browser) offering RSA_export key support (which might be honored by the MiTM server faking the RSA keys with "512 bits long; hence, they can be factored in less than 12 hours for $100 on Amazon EC2“),
- TLS-enabled server (typically a Web server) offering again RSA_export key support.

It is worth to mention, that the RSA_export keys — even though having a length of just 512 bits — are *ephemeral* and should be generated on-the-fly for each connection — at least, they could; but depending on the policy, they might last for even one week.

A potential danger may arise, if the TLS Change Cipher Spec protocol may be used by MiTM to downgrade to SSL version 2 or 3.

None of these vulnerabilities are present in my current ucspi-ssl and Spamcontrol version. Only TLS versions (1.0, 1.1, 1.2) are supported for negotiation. No RSA_export cipher settings are initially present.

Some of the principal problems with TLS I already referenced in my tutorial SMTPTLS page (http://www.fehcom.de/qmail/smtptls.html).


In short, the new public discussed vulnerability of TLS is already well known and certainly an order of magnitude less severe w.r.t. to the Heartbleed bug. In particular, no private keys can be compromised here.

Relax.

regards.
—eh.



---
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE