A new vulnerability has been discovered and – whilst it’s not yet known how serious it is – why risk it? There are some things you can do to protect yourself, so prep your system ASAP to ensure that current you is looking after future you.
LogJam is a new vulnerability affecting the encryption of browser data. As you can see it’s already got a fun name, and a website, which opens with the warning, “Your web browser is vulnerable and could be tricked into using weak encryption”.
The vulnerability affects the Diffie-Hellman key exchange, which is a popular cryptographic algorithm; and it’s kinda like the FREAK attack from earlier in the year, and was actually found during follow-up investigations for it.
What that means is that when a server and a browser send info across to each other they decide between them which is the best and strongest method of encryption to use. LogJam tricks them into believing they’ve chosen the strongest method, but they’re actually using the 512-bit keys “export grade”, which is an older and less secure method.
It could potentially affect anything served over SSL (secure sockets layer) or the newer version, TLS. Both protocols are used to encrypt data that goes around the internet.
The website explains that because “export grade” hangs around in ciphersuites, “a man-in-the-middle can force TLS clients to use export strength DH with any server that allows DHE_EXPORT.” Translation: not something you want messing with your system.
Patches are coming thick and fast though. Microsoft fixed Internet Explorer last week, and patches for Firefox and Apple’s Safari browser should be released soon, according to Matthew D. Green, an assistant research professor at Johns Hopkins University.
He reckons that servers are the issue in this instance, saying: “The big problem is that software people use to run email servers is not as well maintained…They don’t think about them. They just set them up and forget them. A lot of the default configurations that are shipped with them are bad ones.” We’ve spoken before about the importance of not only putting strong security measures in place, but also maintaining them, and this is an unfortunate case in point.
If you’re worried, the site suggests the following:
If you run a server…
If you have a web or mail server, you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. There is a Guide to Deploying Diffie-Hellman for TLS with step-by-step instructions. If you use SSH, you should upgrade both your server and client installations to the most recent version of OpenSSH, which prefers Elliptic-Curve Diffie-Hellman Key Exchange.
If you use a browser…
Make sure you have the most recent version of your browser installed, and check for updates frequently. Google Chrome (including Android Browser), Mozilla Firefox, Microsoft Internet Explorer, and Apple Safari are all deploying fixes for the Logjam attack.
If you’re a sysadmin or developer …
Make sure any TLS libraries you use are up-to-date and that you reject Diffie-Hellman Groups smaller than 1024-bit.
For more information on UKFast’s security solutions take a look at our website or give us a call on 0208 045 4945.