If you thought that FREAK SSL/TLS security hole was only in programs using Apple’s SSL (old OpenSSL) – you’re wrong, and vulnerable. MS’s Secure Channel (SChannel) stack has it too. Great.
FREAK allows mitm (man-in-the-middle) attacks thanks to mistakes made decades ago. “As new technologies emerge, and cryptography hardens, many simply add on new solutions without removing out-dated and vulnerable technologies. This effectively undermines the security model you are trying to build.”, said As Andrew Avanessian, Avecto's EVP of consultancy and technology services.
We’re also days away from a patch, so there’s a good “How To” here: http://www.zdnet.com/article/how-to-protect-yourself-against-freak/
Who’s Vulnerable:
the following SSL/TLS client libraries, are vulnerable. OpenSSL (CVE-2015-0204): versions before 1.0.1k. BoringSSL: versions before Nov 10, 2014. LibReSSL: versions before 2.1.2. SecureTransport: is vulnerable. A fix is being tested. SChannel: is vulnerable. A fix is being tested. Web browsers that use these TLS libraries are open to attack. These include: Chrome versions before 41 on various platforms are vulnerable. Internet Explorer. Wait for a patch, switch to Firefox or Chrome 41, or disable RSA key exchange as detailed below using the Group Policy Object Editor Safari is vulnerable. Wait for a patch, switch to Firefox or Chrome 41. Android Browser is vulnerable. Switch to Chrome 41. Blackberry Browser is vulnerable. Wait for a patch. Opera on Mac and Android is vulnerable. Update to Opera 28 (when stable), switch to Chrome 41.
the following SSL/TLS client libraries, are vulnerable.
Web browsers that use these TLS libraries are open to attack. These include:
Your browser might even be safe, but:
“Chrome for Windows and all versions of Firefox are known to be safe. However, even if your browser is safe, certain third-party software, including some anti-virus products and adware programs, can expose you to the attack by intercepting TLS connections from the browser. If you are using a safe browser but our client test says you’re vulnerable, this is a likely cause.”
To see if your specific client system is vulnerable, run the FREAK Attack Client Check
Apple and Google will be releasing fixes this coming week.
So…if you want to blame someone for this vulnerability, blame the NSA. Yup:
“It seemed like such a good idea in the early 90s. Secure-Socket Layer (SSL) encryption was brand new and the National Security Agency (NSA) wanted to make sure that they could read "secured" web traffic by foreign nationals. So, the NSA got Netscape to agree to deploy 40-bit cryptography in its International Edition while saving the more secure 128-bit version for the US version. By 2000, the rules changed and any browser could use higher security SSL. But that old insecure code was still being used and, fifteen years later, it's come back to bite us.” – ZDNet
You see, the NSA made sure that the early SSL protocol itself was made to be broken.
So…all this reminds me of Mad Magazine’s Spy vs. Spy: Setting out to screw the enemy, you end up screwing yourself because if there’s one thing you can count on it’s if things can go wrong, they will and one other thing: People are lazy, and fix things in the laziest way possible.
Sources:
http://www.zdnet.com/article/how-to-protect-yourself-against-freak/
http://www.zdnet.com/article/freak-another-day-another-serious-ssl-security-hole/
http://www.zdnet.com/article/microsoft-reveals-windows-vulnerable-to-freak-ssl-flaw/
http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html
If you notice, he recommends those settings if you use Tor. I don't need that NSA magnet.
Aviator strips info so the user is less vulnerable (in protected mode)...not outdated as far as I can see. Also, it's updated and maintained, so fewer worries there.
no, he does not. Tor is mentioned briefly one single time, the recommendations in that post have nothing to with it.
look again. in Aviator enter aviator://version/ in the address bar. it is now 4 major versions behind Chrome/Chromium
the last time it was updated was in December 2014
edit: wrong commit history. so, there actually are a few bugfixes.
https://github.com/WhiteHatSecurity/Aviator/commits/master
regarding your statement, this post from WhiteHatSecurity might be interesting:
https://blog.whitehatsec.com/aviator-going-open-source/
So we hope that people use the browser and make it their own. We won’t be making any additional changes to the browser; Aviator is now entirely community-driven. We’ll still sign the releases, QA them and push them to production, but the code itself will be community-driven.
is there such a thing as an "Aviator community"? looking at the commit history, there is just one single person contributing to the code. seems Aviator has been abandoned.
Reminds me an old Slashdot joke:
Man speaking to his phone: "Hello! Can anybody hear me?"
NSA analyst: "No."
Maintaining a browser code is a huge effort that needs funding, manpower and determination. It's far better if the existing teams patch up their product than to start a community-driven "hooray" initiative that dies after a few months.
Thanks for the links, moshi. They raise an eyebrow a millimeter or 2 concerning Aviator, but more importantly are a good source of info for securing Chrome itself.
^ ^
Version 37.0.2062.99 (2.6) is the current one...
I don't know how they number their updates, so I'm at a disadvantage as to what each one included.I also don't know what they consider a "Major" vs. a "Minor" update.
How does Aviator stay up to date? Aviator has an automatic update system. Every five hours Aviator will check with our server to see if a newer version is available. If an update’s available it will be downloaded in the background and it will install upon restarting Aviator.
Aviator has an automatic update system. Every five hours Aviator will check with our server to see if a newer version is available. If an update’s available it will be downloaded in the background and it will install upon restarting Aviator.
So...clearly it's updated.
yeah, i thought so. i'll try to explain:
numbers before the first dot are major version numbers
2.6 is the (internal) Aviator version number
37.0.2062.99 is the Chromium version number, which was already outdated when they first used it for Aviator 2.5. you can also see that they did not update the Chromium base when going from 2.5 to 2.6
in Justin Schuh's post you can see why they have to use such outdated Chromium versions, they managed to ruin the necessary feature of version parity themselves. (i am sure you don't need an explanation why version parity would be required)
besides that, JavaScript is outdated in Aviator as well.
how is that clear? your quote says it does check for updates and if there would be an update it would install silently. that's all.
again, directly from WhiteHatSecurity: "We won’t be making any additional changes to the browser. ". they hope for some (fictional) community to do that.
so, as a final post from me:
if you want to believe Aviator is an "extremely secure" browser, that's fine. if you manage to ignore the new vulnerabilities Avatior has added (and you can absolutely do that. i doubt anyone will ever bother to exploit those as the browser has hardly a userbase), then you would be very correct to say that Aviator is more secure than Chrome 37 with default settings.
it could be worse. if i remember correctly there is also a user here that thinks Internet Explorer 8 (or maybe even 7) is a secure browser.
looking at the screenshots you post regularly it seems Chrome is your main browser anyways.
Failed the test yesterday
Monthly Microsoft updates today.
Rechecked and all OK
Using IE11
Macca
It's clear from their version numbers.
Monthly updates today from MS fixed IE, well atleast for me it did.
Indeed.
two months later, current status:
- no updates
- now 5 major versions behind Chrome/Chromium
- no commits on Github as well
That's the NSA for you. You'd be surprised what else they (and other agencies) have done over the years to screw us in the name of "safety". Unfortunately when people find out legitimate information on things like this people don't believe them and they instantly get labeled as a nut job or conspiracy theorist. Look up the history of the OSS some time. Some of what they did back in the day will knock your socks off.
There are many great features available to you once you register, including:
Sign in or Create Account
