Android and Apple users vulnerable old backdoor in ssl




Users of Android, iOS and Safari on OS X are vulnerable to a newly discovered bug in SSL implementations. It is a backdoor that is built by the US government and can be abused. An attacker could force a lower level of encryption.

In the nineties, the US government still forbade companies to offer strong encryption outside the United States. Therefore could RSA encryption keys abroad eg not more than 512 bits, so that the US secret services could crack the communication relatively easy. Meanwhile, it has long been not so, but the backdoor still turns to abuse, found researchers at the French research institute INRIA and Microsoft Research.

Support for the lower level of protection still appears to be present in the SSL stack of Chrome on Android. Also iOS phones are vulnerable, as well as Safari on OS X. Also BlackBerry 10 would be vulnerable, as well as some versions of Internet Explorer on Windows Phone. The desktop version of Chrome is not vulnerable, as well as Firefox and Internet Explorer.

The vulnerability appears to be present for years but remained underexposed years. When making an SSL connection from vulnerable browsers inactive asked this lower level of security, but a server can ask. An attacker could occur while for a server and force the lower level of security. In that case, the key of only 512 bits without warning accepted.

RSA keys of 512 bits are relatively easy to solve: according cryptographer MatthewEGreen of Johns Hopkins University, an attacker for this example, the service from Amazon EC2 use. To crack one certificate is approximately one hundred dollars and required 7.5 hours of time. Although then only one certificate is cracked, the same certificate by a website in practice often served to several visitors. Default, Apache for example, a new certificate from the server startup, which is served to all visitors.

An attacker would have still be able to perform a man in the middle attack referenced before he could exploit the vulnerability. He must have control of the connection of a victim, for example by setting up a fake wifi hotspot. Also have websites support for the 512bit-RSA keys; from a scan of the University of Michigan shows that more than a third of the websites that has. Among them included the FBI and the White House website, which have been patched. NSA’s website is still prone to the attack.

Users can visit the website see if their device is susceptible to attack. The bug is present in Secure Transport Apple and OpenSSL, which is used in Android. Apple has already shown next week wanting an update rollout . OpenSSL has been patched. The beta of Chrome for Android already has a patch on board.

Privacy activists argue that the bug is an example of how a government backdoor users can create unsafe. They plead for some time against such backdoors. “We see that such problems eventually affect all users,” says privacy activist Christopher Soghoian of the American Civil Liberties Union in front of The Washington Post.

Last year, many serious security problems in SSL and SSL implementations to light. Underneath was Heartbleed which attackers could read the internal memory of a server with OpenSSL. Also found researchers from Google a vulnerability in SSL 3.0, allowing javascript instance cookies could be intercepted.


In: Technology & Gadgets Asked By: [15446 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »