brihow

Microsoft FREAK workaround suggests disabling RSA, would blackhole non-FS sites

Discussion created by brihow on Mar 5, 2015
Latest reply on Mar 10, 2015 by argerrit

Earlier today Microsoft released guidance confirming that all versions of Wiindows are vulnerabile to the "FREAK" export ciphers downgrade attack.

 

Microsoft Security Advisory 3046015

 

No doubt Microsoft, along with Google and Android, will provide a patch for this issue in due time.  For the meantime, Microsoft's guidance suggests enforcing a cipher suite policy that disables RSA key exchange. 

 

TL;DR: According to the latest SSL Pulse report, 38% of sites would be unreachable if you implemented this guidance.

 

 

 

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256_P256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256_P384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

 

 

Translated to OpenSSL, this is:

 

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES256-SHA

ECDHE-RSA-AES128-SHA

DHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES256-SHA384

ECDHE-ECDSA-AES128-SHA256

ECDHE-ECDSA-AES256-SHA

ECDHE-ECDSA-AES128-SHA

DHE-DSS-AES256-SHA256

DHE-DSS-AES128-SHA256

DHE-DSS-AES256-SHA

DHE-DSS-AES128-SHA

EDH-DSS-DES-CBC3-SHA

 

So you can check the impact to your sites using openssl s_client:

 

set cipher=ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-SHA384,ECDHE-RSA-AES128-SHA256,ECDHE-RSA-AES256-SHA,ECDHE-RSA-AES128-SHA,DHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-ECDSA-AES128-SHA,DHE-DSS-AES256-SHA256,DHE-DSS-AES128-SHA256,DHE-DSS-AES256-SHA,DHE-DSS-AES128-SHA,EDH-DSS-DES-CBC3-SHA

 

openssl s_client -showcerts -status -CAfile %~dp0cacert.pem -connect %1:%port% -cipher "%cipher%"

 

But the impact should be obvious, if you don't support Forward Secrecy suites, you will be unreachable.

 

Probably no one will follow this workaround, because the most recent SSL Pulse shows that 38% of sites don't support any Forward Secrecy suites.

Outcomes