March 24, 2018

FREAK Attack: The Chickens of ‘90s Crypto Restriction Come Home to Roost

Today researchers disclosed a new security flaw in TLS/SSL, the protocol used to secure web connections. The flaw is significant in itself, but it is also a good example of what can go wrong when government asks to build weaknesses into security systems.

Back in the early 1990s, it was illegal to export most products from the U.S. if they had strong cryptography. To be exportable, a system had to use small keys that could be defeated by a brute-force search over the (reduced) key space. Because of this, the secure web protocol, SSL, was designed to allow either party to a communication to ask to use a special export mode. [Note for crypto geeks: “export mode” refers to certain cipher suites whose names start with “EXP”.] When it became legal to export strong crypto, the export mode feature was not removed from the protocol because some software still depended on it. Export mode is still an option today.

This creates the possibility that a network “man in the middle” (MITM) can downgrade the security of a connection. If Alice and Bob are setting up a connection, the MITM can tell Alice that Bob is asking for export mode, and vice versa. This kind of “downgrade attack” is well known, and the TLS/SSL protocol has features designed to detect it. In this case, for complicated reasons beyond the scope of this post, the anti-downgrade protections could be evaded by a clever MITM.

Having tricked Alice and Bob into using export mode, an adversary could then crack the 512-bit RSA keys used in this mode. Back in the ‘90s that would have required a heavy-duty computation, but today it takes about 7 hours on Amazon EC2 and costs about $100.

Many web sites are vulnerable to this attack, allowing an adversary in the network to spoof or spy on traffic to vulnerable sites. About 12% of popular sites appear to be vulnerable, including,,,,, and

Even the National Security Agency’s own site is vulnerable. That’s not a big national security problem in itself because NSA doesn’t distribute state secrets from its public site. But there is an important lesson here about the consequences of crypto policy decisions: the NSA’s actions in the ‘90s to weaken exportable cryptography boomeranged on the agency, undermining the security of its own site twenty years later.

Next time you hear a government official ask to modify a security system to protect their own access to data, ask yourself: What are the side effects? How do we know we won’t regret this later?


  1. Gregory H. James (Sr) says:

    Thank you. I have been trying to tell people this for yrs. now. Maybe you will have better luck. Somebody had to say it, and it doesn’t matter who. Again, thanks (heartfelt)

  2. I have never understood WHY the U.S. Government put a ban on exporting cryptography (see my own explination however). There have been TONS of unintended consequences to that stupidity; you list one here I have found many over the past 20 years. But, then I already know the U.S. Government doesn’t care about security; they only care about CONTROL! And the control is all about money.

    I suspect, the U.S. Government (and by exention the plutarchs) wanted to control cryptography because in the 90’s it stood to profit greatly from such a control (before Open Source was much of a player). That would certainly follow the pattern of their motives for everything from international copyright laws/treaties to lawn laws of my city. Its all about control of people for pofit.