Researchers working at Microsoft and other institutions have detected a new SSL flaw. The flaw itself is called LogJam and its detection suggests that 8% of top million websites using HTTPS (protocol for secure communication) are vulnerable and it does not matter that users see a padlock icon in the address bar. Researchers claim that email services that use the TLS protocol might also be at risk. Luckily, companies are creating updates in order to fix this flaw; however, there is a possibility that a number (around 20 000) of websites will be blocked after the release of updates. It is likely that only those websites that are older and whose code has not been updated for a long time will be affected.
Security specialists have found out that the so-called LogJam flaw affects the algorithm called Diffie-Hellman key exchange. This cryptographic algorithm allows Internet protocols to agree on the shared key and create a secure connection. Diffie-Hellman key exchange is fundamental to such protocols as HTTPS, SSH, SMTPS, and protocols that rely on TLS (Transport Layer Security). Even though Diffie-Hellman key is very popular and important, specialists have noticed that it is not perfect; according to them, it has several weaknesses.
People investigating the LogJam flaw have noticed that it allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to a lower level of encryption, i.e. 512 bit. If you wonder what this means, you should know that this allows the attacker to read and modify the data passed over the connection. Research has shown that LogJam can affect any server that supports DHE_EXPORT ciphers. In addition, it can affect modern browsers as well.
Security experts claim that Internet users should not be worried too much because LogJam can be exploited only when hackers and targets are on the same network. In addition, a patch will be released very soon. In case of organizations, according to the specialists, it would be best to perform a security health-check as soon as possible.
As has been already mentioned, companies are working on updates that will fix the LogJam flaw. In the meantime, it is advisable to follow the further recommendations:
If you have a web or a mail server, you should definitely disable support for export cipher suites. On top of that, it is very important that you generate a 2048-bit Diffie-Hellman group. Finally, you should upgrade server and client installations to the newest version of OpenSSH.
Specialists have also prepared the recommendations for ordinary computer users. If you use Internet Explorer, Google Chrome, Mozilla Firefox or Safari, you should keep your browsers up-to-date and check for updates frequently. Companies are creating updates that will help to fix the LogJam flaw at the moment.
If you are a sys-admin or a developer, you should definitely make sure that you use TLS libraries that are completely up-to-date. In addition, it is very important that you make sure that your servers maintain 2048-bit or larger primes. Finally, you should also make sure that your clients reject Diffie-Hellman primers that are smaller than 1024-bit.
You might think that a trustworthy antimalware tool might help you to protect your PC; however, it is not true at all. Even though a security tool will not protect you from the risks associated with the LogJam flaw, it is still very important to acquire and keep a security tool installed on the system in order to prevent malicious software from entering. In fact, malware might be as dangerous as the LogJam flaw because malicious applications might make various changes on your PC and it might become impossible to use it. On top of that, they might use your PC’s resources and your Internet connection to perform various activities, which means that it might be impossible to perform even the simplest activities using your PC.