Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: InfoSec Handlers Diary Blog - Logjam - vulnerabilities in Diffie-Hellman key exchange affect browsers and servers using TLS InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Logjam - vulnerabilities in Diffie-Hellman key exchange affect browsers and servers using TLS

Published: 2015-05-20
Last Updated: 2015-05-20 19:03:17 UTC
by Brad Duncan (Version: 1)
11 comment(s)

There's a new vulnerability in town...   "The new bug, dubbed LogJam, is a cousin of Freak. But it’s in the basic design of TLS itself, meaning all Web browsers, and some email servers, are vulnerable." [1]  According to the article, "Internet-security experts crafted a fix for a previously undisclosed bug in security tools used by all modern Web browsers. But deploying the fix could break the Internet for thousands of websites."

Logjam attack can allow an attacker "to significantly weaken the encrypted connection between a user and a Web or email server..." [2]

From: https://weakdh.org/

Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.

We have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed...

We're starting to see news coverage from other outlets, and we're sure more analysis will emerge.  However, at this time your best source for more information on this bug is at weakdh.org.

For now, ensure you have the most recent version of your browser installed, and check for updates frequently.  If you’re a system administrator, please review the Guide to Deploying Diffie-Hellman for TLS at https://weakdh.org/sysadmin.html

--
Brad Duncan
ISC Handler and Security Researcher at Rackspace

References:

[1] http://www.wsj.com/articles/new-computer-bug-exposes-broad-security-flaws-1432076565
[2] http://www.pcworld.com/article/2924532/new-encryption-flaw-logjam-puts-web-surfers-at-risk.html

11 comment(s)
Diary Archives