A team of researchers recently discovered a new vulnerability that significantly weakens the encrypted connection between a user and web or email server, potentially putting your secure web information at risk. This latest flaw, named the “LogJam” bug, affects all major browsers and any server that supports 512-bit Diffie Hellman cryptography, a long-discarded encryption standard.
The LogJam bug resides in the Transport Layer Security (TLS) protocol used to encrypt traffic between browsers and website servers. The discovery of the flaw came as a result of follow-up investigations into the FREAK encryption bug (Factoring Attack on RSA-EXPORT Keys), discovered in March that weakens encrypted connections between computers and websites. Although the two vulnerabilities seem very similar, they are in fact slightly different. FREAK occurred at the level of deployment, while LogJam is the result of a flaw within the TLS protocol. They also attack different key exchanges (RSA vs. Diffie-Hellman).
How does LogJam work exactly? For any connection that requires a Diffie-Hellman key exchange, a Man-the-Middle can intercept the traffic being encrypted at 1024-bits and convince the sending machine to feed it a cryptographically weaker message in 512-bit. The attacker can decrypt the message and read it’s contents. The crack is made even easier given that many of the servers analyzed used similar sets of large numbers to generate the encryptions.
You may be thinking, why are companies still using these long-discarded 512-bit encryption keys? Under the premise of national security, the US in the 1990’s prevented companies from shipping software to other countries if they included encryption keys that were stronger than the government was able to break. Even though the laws were upturned long ago, many products still support the 512-bit keys.
How Does This Affect Me?
On the researchers’ website, you can test your browser to see if vulnerable to the attack; however, the only browser patched against LogJam at the moment is Microsoft’s Internet Explorer. Mozilla stated they would issue a patch to FireFox within a few days, while Google Chrome could take as long as a few weeks. No one expects this to be a large security issue- just be extra wary when using public wireless networks. Besides the Man-in-the-Middle attacks at coffee shops, there isn’t much potential for widespread havoc unless you are dealing with a large organization or government. There is speculation that this is one of the methods that the NSA uses to monitor web traffic.
More importantly: researchers also have a test available for sysadmins to test their servers. You can check that out here.