The FREAK TLS attack

Following the trend of memorable names for TLS attacks, FREAK was recently announced. This exploits a bug in some TLS libraries, combined with the support of ancient weak ciphers, to enable a MitM to force crackable encryption. (The story of these ciphers is quite interesting, but plenty has been written elsewhere about that already.) As part of general cleanup, these ciphers were removed in our developer channel months ago, in beta over a month ago, and were already scheduled for removal in stable versions today when news broke last week. Desktop for Macintosh and Opera browser for Android were vulnerable, both have been fixed today in Opera 28 for Desktop and Android 🙂 Desktop for Windows and Linux are not affected.

iOS is was also vulnerable, along with many apps and browsers running on iOS, including Opera Coast, and non-Mini mode in Opera Mini. Such apps use OS libraries, so users will have had to wait for an OS update for iOS from Apple. Update: iOS 8.2 is available for download, and fixes the issue. Opera Mini (in Mini mode) is not vulnerable on iOS (or elsewhere), it uses a custom protocol to connect to the proxy servers, and the proxy servers do not use vulnerable libraries to connect to websites. So if you want a secure browser on iOS while waiting for a patch, you may safely use Opera Mini.

The SuperFish certificate problem

Many of you may already be aware of a product called SuperFish, and the recent problems surrounding it. The details of these problems have already been made public elsewhere, but we will summarise the important points here. If you need further information, please see the published details.

Superfish is designed to be installed on a computer. It will intercept all connections to websites, modifying the response so it contains additional content provided by SuperFish. In order to allow this to work with HTTPS websites – which would normally be protected by certification and encrypted connections – it intercepts the connection, generates a certificate for the website, presents the browser with that certificate. It decrypts the request, then re-encrypts the request to the real website. It then decrypts the response from the website, and re-encrypts it when passing the response back to the browser. This is known as a Man in the Middle (MitM).

Browsers would normally reject this, because the generated certificate is not signed by a trusted authority. To allow the generated certificate to be used, SuperFish installs its own root certificate into the computer’s certificate store as a trusted root certificate. That way, the browser sees that it was used to sign the generated certificate, and assumes the generated certificate is the correct one for the website.

SuperFish is certainly not the only software to do this; many anti-virus and parental-control products use the same principle, and external debugging tools also may need to intercept connections. In practice, this means that a browser is unable to check the identity and safety of the website, which reduces the overall security. Browsers go to great lengths to make sure that websites are using their certificates correctly, and that the connection only uses protocols that are known to be secure, and this sort of MitM approach prevents that. Even if, for example, the browser were to prevent the FREAK attack, if the MitM software did not fix it, the user would remain vulnerable. For that reason, we would recommend being especially wary of any software which operates in this manner, and would advise against allowing software to intercept HTTPS connections in this way.

Some of these products, including SuperFish, have a more serious issue. Rather than use a different root certificate for each installation, they use the same certificate for all installs. The signing key (the certificate’s private key) is contained in the code of each install, and is used to sign the generated certificates. An attacker can look through the program’s code to extract the key, which they can then use to sign any certificates of their own. They can then use these certificates to falsify any website of their choosing. This then allows them to carry out a MitM attack against any user who has that product’s root certificate installed.

SuperFish was installed by default on certain Lenovo consumer computers running Windows, which is what drew so much media attention to this sort of problem.

Several agencies, including Lenovo and Microsoft, have released removal tools to remove SuperFish from affected computers. Until the root certificate is also removed, the user is still at risk of attacks. Therefore most removal tools will also remove the certificate from any certificate stores they are aware of. We strongly urge any affected users to run the removal tools as soon as possible. Some are distributed automatically through Windows Update – users should allow this update.

Opera uses the operating system’s certificate store, so until affected users remove SuperFish, they will still be at risk from this issue. We do plan in the very near future to blacklist the root certificate. At that point, access to HTTPS websites will be blocked by default for any user who still has the certificate installed, requiring users to click through a warning dialog in order to access secure websites. Becuase of this, we have chosen to give users the chance to locate and use the removal tools (more of which may soon become available) before blacklisting the certificate. As SuperFish is intentionally installed (although perhaps without affected users realising), its certificate is not considered to be fraudulent or erroneous. Blacklisting the certificate while the program is still installed would not add any security; it cannot prevent the software from intercepting connections, and it will force users to manually accept all https connections, making http connections appear favorable.

Blocking individual software products does not solve the problem completely, of course, as there are still other products making this mistake, and we cannot possibly track them all. There are also some legitimate use-cases for interception software. We are planning future improvements to safeguard user security/privacy even in such cases.

Additional credits

We would also like to take this opportunity to thank Sankaranarayanan Sundarapandian and Vincent Lee from Adobe for finding and reporting an issue with how Opera handled Flash. In some cases, one tab would be able to listen to key presses made on other tabs. This issue was fixed in Opera 26, and the fix has since been applied to Chromium as well.

---