A team of researchers has discovered a new encryption flaw called Logjam, a bug that allows an attacker to weaken the encrypted connection between a user and a website or mail server.
It is similar to FREAK, another bug that allows an attacker to intercept supposedly encrypted traffic between vulnerable clients and servers and force them to use weakened encryption.
How It Works
When a browser communicates with a server both of them agree on which algorithm to use for the encrypted connection. Ideally the strongest encryption is chosen, but with the Logjam bug attackers dupe a Web server into thinking that it is using a stronger encryption key when it’s actually not.
It helps the attacker collect traffic with weak encryption and decode it quickly. According to researchers this is done by using a popular cryptographic algorithm called the “Diffie-Hellman key exchange” that allows internet protocols such as SSH, HTTPS, IPSec, and SMTPS to agree on a shared key and negotiate a secure connection.
Logjam resides in the TLS (Transport Layer Security) protocol used to encrypt traffic between website servers and browsers. It enables a man-in-the-middle attacker to downgrade vulnerable TLS connections to comparatively weaker 512-bit export-grade cryptography.
This helps the attacker read and amend any data communicated over the connection and affect all modern browsers and any server that supports DHE_EXPORT ciphers.
It has been reported that over 8.4 percent of the top 1 million domains are vulnerable, along with a large number of email services and other systems.
Are You Affected?
A website named WeakDh has been set up to give all the information related to this bug, including the research report. It will also let you know if your browser is vulnerable to Logjam as soon as you open the site.
What To Do If You are Affected
Make sure you have your browser’s latest version installed and check for updates frequently.
If you are a developer or system administrator make sure all TLS libraries are up-to-date and that you are configured to automatically reject Diffie-Hellman Groups lower than 1024-bit.
If you run a server, the first thing you need to do is generate a unique 2048-bit Diffie-Hellman group and disable support for export cipher suites. Here is a step-by-step Guide to Deploying Diffie-Hellman for TLS that you can refer to.
Browser makers have already started working on fixing the bug. Patches for supported versions of Microsoft’s Internet Explorer have already been released reportedly and updates for Mozilla Firefox, <href=”#!topic/security-dev/WyGIpevBV1s”>Google Chrome, and Apple Safari are expected to be announced soon.
According to The Wall Street Journal browser makers are moving to block small Diffie-Hellman keys that should make browsing safer. However, the fix could make over 20,000 websites unreachable.
It’s not clear yet if any hackers have exploited the bug but researchers speculate that the National Security Agency might have used it to spy on VPN or virtual private networks. However, the NSA hasn’t responded to the claim yet.
So have you tested if you are vulnerable to Logjam? If not, do it now. Also, what is your opinion about Logjam? Please share your views in the comments below.