View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

What Freak means for the future of SSL encryption

Another security layer flaw lays open wider debates on backdoors.

By Jimmy Nicholls

Controversies around massive bugs are becoming a cliché in cybersecurity, with the latest "Freak" vulnerability following on from previous scandals with equally dramatic names: Heartbleed, Shellshock and, er, Poodle.

Indeed ever since news of Heartbleed broke the security of SSL, the layer that protects the traffic from your web browser to the server, has been in question, with many companies pouring funds into the Linux Foundation to secure the upkeep of OpenSSL, a variant of the technology.

So this time around, what can be learnt from this flaw?

1. Freak is not as bad as Heartbleed

Media interest in major vulnerabilities has dulled since the furore over Heartbleed, with each revelation being received with less interest as people have absorbed the notion that insecurity is the norm, rather than the exception.

Fortunately the lack of hyperbole is justified this time, as Keith Bird, UK MD at security vendor Check Point explained: "Even though the vulnerability affects a significant number of major websites worldwide, the risk to consumers and business users of their data being intercepted by a hacker exploiting it is minimal, as it would take a great deal of targeted effort to do so.

"As the flaw affects the Safari browser on iPhones, iPads and Macs and Android’s built-in browser, but not Google Chrome or the latest versions of Internet Explorer or Firefox, users can simply switch to a web browser that’s not affected to mitigate any risk from this vulnerability."

2. There’s nothing wrong with your SSL certificates

Digital certificates are the method by which web browsers can confirm whether a given connection is trusted or not by checking it against a verified signer. Whilst there have been issues with them in the past, Freak is a different type of bug.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

"Your existing certificate will continue to work as intended; no certificate replacement is needed," said Rick Andrews, technical director at Symantec, writing on the firm’s blog. The problem exists with web server configurations, and in particular what ciphers are being used to encrypt traffic.

"It’s relatively easy to determine if a website is vulnerable, and if so, it’s relatively easy to change the configuration to block any possible attacks," he added. "Any type of web server may be vulnerable if its configuration allows the use of so-called export ciphers."

3. US export restrictions on encryption are responsible

American officials have been worried for some time that other countries might lay their hands on strong encryption, and have made many attempts to disrupt the exporting of US cryptography. As such when SSL was being created in the early 90s the US government mandated that the encryption be downgraded to a key length of 512bits.

As Phil Lieberman, chief executive of Lieberman Software, described it, Freak "is simply a known negotiation mode of web browsers and web servers that allow the web servers to downgrade encryption until the client is capable of making a connection".

He added that for older browsers and embedded systems "the downgrade to the lowest encryption may still have value". Unfortunately Freak means that some clients running TLS (the sequel to SSL) will accept export grade keys even when the client does not as for them.

4. "Backdoors will always bite you in the ass"

Security backdoors have always been a contentious topic, whether they are being discussed by the FBI and Silicon Valley, or the US and China. Given the conflicting priorities of corporations and governments that much is not likely to change.

Yet as Matthew Green, a cryptographer at John Hopkins University points out, decisions made today can echo decades down the line. This is worrying precisely because UK and US security agencies have criticised the technology companies for encrypting their products properly.

"While officials carefully avoid the term "backdoor" — or any suggestion of weakening our encryption systems against real attackers — this is wishful thinking," Green wrote on his blog. "These systems are already so complex that even normal issues stress them to the breaking point."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.