May 20 update: A second group of researchers have published a follow-up attack that shares many similarities with FREAK, known as “Logjam.” Like FREAK, this attack allows for a man-in-the-middle (MITM) attacker to trick clients into using weak export-grade level ciphersuite options when the server supports them. In this case, the downgrade vulnerability is in the TLS protocol itself (versus client implementations) and forces the use of crippled export strength Diffie-Hellman key exchange.
Fastly is not vulnerable to Logjam — we only offer the more secure Elliptic Curve variant of the Diffie-Hellman key exchange (ECDHE), and the RSA key exchange mechanism for clients that don’t support ECDHE. Since Fastly does not offer any export grade ciphersuite options — and we do not offer the Diffie-Hellman key exchange mechanism — our services are not affected.
March 3: Another TLS/SSL vulnerability has been announced, titled FREAK (Factoring Attack on RSA-EXPORT Keys). Because of Fastly’s existing TLS/SSL settings, our services — and customers using Fastly as their CDN — are not vulnerable to this attack.
The crux of FREAK is client and server support for export-grade encryption. When SSL was developed by Netscape in the early 1990s, strong cryptography was still controlled under strict export restrictions, so the protocol included a separate set of deliberately weakened export-grade ciphers. Since this time, restrictions around exporting strong cryptography have been lifted, and export-grade ciphers are an unnecessary relic of the past. Fastly hasn’t included export-grade ciphers in our TLS configuration for at least four years.
Unfortunately, much like with POODLE and other recent attacks on TLS/SSL, the internet community at large has been slow to remove antiquated features and has continued to optionally support export-grade ciphers for clients that request them. FREAK is dangerous because it allows a man-in-the-middle (MITM) attacker to trick servers that support export-grade ciphers to use them, even for clients that request cryptographically secure ciphers.
The FREAK attack relies on servers that support export-grade ciphers, and on client software being vulnerable to the “message skipping” attack. Both sides are now being addressed by the security community as clients patch their TLS software and server providers remove export-grade ciphers.
Fastly’s commitment to strong cryptography and TLS best practices means our part is already done — we haven’t historically supported export-grade ciphers. We will continue to monitor discussions around FREAK and client-side vulnerabilities as they unfold.
You may also like:
GitHub’s Joe Williams discusses mitigating security threats
At Fastly Altitude 2015, Joe Williams, a computer operator at GitHub, gave a talk on mitigating security threats (like DDoS attacks) with a CDN. This post is an overview of his talk, with full video…
How to fuzz a server with American Fuzzy Lop
In this blog post, I’ll describe how to use AFL’s experimental persistent mode to blow the doors off of a server without having to make major modifications to the server’s codebase. I’ve used this technique…
Improving visibility into CA operation with Certificate Transparency
If you follow the security news cycle, you may have seen recent discussions about Google detecting a Certificate Authority (CA) in China improperly issuing certificates capable of transparently (that is, without warning) imitating Google...