The FREAK encryption downgrade blues

security encryption key
Credit: Thinkstock

Got those Export Security Blues

Downgrading encryption

Ought to be-----

Yesterday's news.

First reported in the Washington Post, you can apparently get your Freak on all too easily. It happens when your website, by your choice or through a crack employed on your site, forces a downgrade in the encryption level to a user's browser. The user's browser will dutifully downgrade the encryption level unless it's been set never to do that, which is rare.

Someone in the middle of the conversation, a man-in-the-middle, reads the downgraded encryption conversations then uses brute force attacks (these can be done with lightning speed these days), and in under a half-day, they can have the conversation added to a database to be used against you, your user/customer, or both.

If it's an internal access of a user to, say, a database, you expose everything—including passwords and most other interactions. Google's Chrome browser is apparently immune, and other browser makers are wrestling with patches. This exposure is very old. It's unknown just how long these browsers may have been vulnerable. Your website needs testing to see if it has somehow been changed to force the downgrade. If so, talk to your legal department…. then, your clientele, internal or external.

This comes as a result of what was once known as export-grade security, which left U.S. and friendlies' browsers at highest encryption, but with the ability for export encryption to be downgraded. Many browsers respect the downgraded encryption level request, and will therefore offer up your lunch and the drink you brought with you. Unintended consequences? Yes.

You have to force this patch, and soon. Don't delay. This goes especially to your virtualized resources, VDI, HTML5 services, and external-facing web servers, as well as each and every single freaking user in your domain. My sympathies. Again.

Must read: Hidden Cause of Slow Internet and how to fix it
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies