Logjam - vulnerabilities in Diffie-Hellman key exchange affect browsers and servers using TLS

Published: 2015-05-20
Last Updated: 2015-05-20 19:03:17 UTC
by Brad Duncan (Version: 1)
11 comment(s)

There's a new vulnerability in town...   "The new bug, dubbed LogJam, is a cousin of Freak. But it’s in the basic design of TLS itself, meaning all Web browsers, and some email servers, are vulnerable." [1]  According to the article, "Internet-security experts crafted a fix for a previously undisclosed bug in security tools used by all modern Web browsers. But deploying the fix could break the Internet for thousands of websites."

Logjam attack can allow an attacker "to significantly weaken the encrypted connection between a user and a Web or email server..." [2]

From: https://weakdh.org/

Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.

We have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed...

We're starting to see news coverage from other outlets, and we're sure more analysis will emerge.  However, at this time your best source for more information on this bug is at weakdh.org.

For now, ensure you have the most recent version of your browser installed, and check for updates frequently.  If you’re a system administrator, please review the Guide to Deploying Diffie-Hellman for TLS at https://weakdh.org/sysadmin.html

Brad Duncan
ISC Handler and Security Researcher at Rackspace


[1] http://www.wsj.com/articles/new-computer-bug-exposes-broad-security-flaws-1432076565
[2] http://www.pcworld.com/article/2924532/new-encryption-flaw-logjam-puts-web-surfers-at-risk.html

11 comment(s)
Diary Archives