Deliberately weakening internet security has been tried before. It was stupid then, and it’s worse now. Let’s not repeat the same mistake. blog.mindrocketnow.com
I recently posted about how proposed changes to the UK counter-terrorism bill to create a back door for breaking encrypted traffic wasn’t a good idea. It turns out that the super-critical internet security flaw of the week vindicates this view, as it is directly due to an earlier attempt to deliberately weaken internet security. (For a more comprehensive yet accessible explanation, I encourage you to read Matthew Green's blog.)
To understand what’s happened, we need to go back in time to the early 1990s. In the bad old internet days, when Netscape was the best browser in town, do you remember that it was available in two variants – domestic US and international? The reason was a hangover from World War 2, that the NSA didn’t want the version that used the “super-strong” 128-bit key length being used by foreigners because it wouldn’t then be able to eavesdrop in the name of keeping the US safe. Therefore, the export version used an export key limited to 40 bits.
As we know, time makes a fool of technology limitations, and the 40-bit limit was shown to be very foolish in very little time. The Washington Post does a good job of putting this into context: a 512-bit key length encryption can be broken by a skilled code breaker and about 7 hours of computing time from the equivalent of 75 computers. This computing power can be bought for around $100.
Fast forward to year 2000, and the US finally realised that their e-commerce economy was hamstrung compared to the rest of the world because of the negative public perception of its weak security. So security legislation was relaxed, and full strength encryption was available everywhere (subject to usual restrictions of international commerce). The current standard key length is 2048 bits, and will no doubt increase as computing power increases. However, the export key length has remained 512 bits because it’s legacy and nobody cares. The law of unintended consequences of this didn’t surface until this week, 15 years later.
In order to make figuring out whether to use domestic US or export-grade encryption, web clients negotiates which cipher key length to use. In the past, this negotiation would have included whether the secure conversation was to be in US or foreign, however now nobody cares. Therefore the same client and server software could be deployed around the world. However the OpenSSL client (as used in Android) and SecureTransport client (as used in iOS and OSX) have a bug: they will accept an export-grade key even if they didn’t ask for one. This makes them vulnerable to a particular type of Man-In-The-Middle attack.
Imagine the client asks an e-commerce server for a standard cipher key length. Imagine also that a nefarious MITM has inserted itself into this transaction. The MITM, being in the middle, replaces this request with one asking for an export key length, thus tricking the e-commerce server. The server will happily initialise the transaction using the weakened key, and the client will accept this weakened key, neither of them thinking anything is amiss, and so won’t notice the MITM. The MITM can now crack this 512-bit key in 7 hours for $100. Once cracked, the MITM can intercept all communications that uses this key.
Perhaps you’re now thinking: surely the servers won’t bother with export keys and only serve standard keys. Well, some recent scans have found that 36.7% of trusted sites can be tricked into serving weakened export keys. Sites which include some of the biggest trafficked sites in the world: http://connect.facebook.net/ (although I read that the Facebook server configs have been updated since the flaw was publicised).
Perhaps you’re also thinking: my e-commerce transactions never take 7 hours, so I’m safe from this attack. It turns out that it’s expensive (in compute terms) to generate a new key, so keys are routinely re-used. One of the widest-used web server software, Apache, uses the same key for the uptime of the server. So after that first 7 hours of compute, the MITM can intercept all communications from that server to all subsequent clients. That’s all subsequent financial transactions and confidential information.
This flaw isn’t at all theoretical and in the imagination. There has been a Proof of Concept test successfully completed by researchers, which has demonstrated that this is possible. It’s out there and it’s a big deal. So what can we do?
I’m afraid it’s the usual advice for consumers: keep your software up-to-date, especially OS, anti-malware and browsers. And keep an eye on your credit card transactions – not just when you see the statement but regularly. Google, Apple, Apache, everyone with big resources, will be scrambling to put out a patch. Some patches are already implemented, like for the Firefox browser. But fundamentally, there’s little for the consumer to do except be vigilant.
Internet security is now more important than national security – it now underpins global commerce. Let the magnitude of that statement sink in a bit. That’s why deliberately weakening internet security in the name of national security is plain stupid. We need our governments to find a better way to keep us safe.