Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Tech News > HTTPS-protected connections at risk from 'Logjam' cryptographic attack

HTTPS-protected connections at risk from 'Logjam' cryptographic attack
Thread Tools
NewsPoster
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
May 20, 2015, 11:15 AM
 
Security researchers have uncovered a new threat that can leave HTTPS-protected connections at risk. The vulnerability, named by the researchers as "Logjam," is an flaw that affects the Diffie-Hellman key exchange, a cryptographic algorithm that protocols such as HTTPS, SSH, SMTPS, and others use to negotiate secure connections between the server and the browser on the end user's computer.

Logjam can effectively allow an attacker to use a man-in-the-middle attack to access encrypted traffic. The vulnerability can force the connection down to 512-bit export-grade cryptography, and in turn making the encrypted data more easily readable. While this is relatively similar to the recent FREAK attack, the researchers note that it attacks the Diffie-Hellman key exchange instead of an RSA key exchange, and is due to a flaw in the TLS protocol instead of an implementation vulnerability.

According to the researchers, approximately 8.4 percent of the top million domains using HTTPS are vulnerable to Logjam, with Pop3S and IMAPS vulnerable in 8.9 percent and 8.4 percent of cases respectively. It is advised to Internet users that they upgrade their browser, with Safari, Internet Explorer, Firefox, and Chrome updates being deployed, while server owners need to disable support for external cipher suites and generate a unique 2048-bit Diffie-Hellman group, as well as upgrading to a the latest version of OpenSSH.

Ars Technica notes that the issue is partly caused by export restrictions put in place by the US government in the 1990s, to allow government agencies the ability to break encryption used in other countries. "Logjam shows us once again why it's a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for," said data scientist J. Alex Halderman to the report. "Today that backdoor is wide open."

It is suggested by the researchers that the attack can be used to downgrade connections on 80 percent of servers using DHE_Export with a common 512-bit prime, and though an academic team would be able to defeat a 768-bit prime, it is thought a nation-state could break a 1024-bit prime. If someone did, breaking the single most-common 1024-bit prime used by webservers could allow eavesdropping on connections to 18 percent of the top 1 million HTTPS domains, while a second prime could allow for passive decryption of 66 percent of VPN servers and 26 percent of SSH servers. If left unpatched, Logjam would be a potential goldmine for government agencies performing online surveillance.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 07:11 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,