Encryption Flaw Blocks Websites

Updates on a flaw fix for an encryption algorithm has caused a minority of websites to be blocked by the software.

The "LogJam" attack was discovered by researchers at Microsoft and a number of US and French Universities; who believe about 8% of the top one million HTTPS security-protected sites are made vulnerable by the flaw.

This would mean that users would then be given false reassurance by the padlock icon that such sites display in a browser's address bar.

It is also thought that some email services and servers that use the Transport Layer Security cryptographic tool are also at risk of being hacked until their operators update their systems.

This latest vulnerability is a legacy of the US 1990s era export restrictions on cryptographic tools, which limited the complexity of the secret encryption codes that could be generated by "international versions of US-made software, including Netscape's web browser."

The export rules were soon relaxed; however researchers say an unintended consequence is that a commonly used process called a Diffe-Hellman key exchange can be compromised by a "man-in-the-middle attack".

This was one of the first techniques developed to allow two or more parties to create and share an encryption key by exchanging parts of the key in public.

The researchers soon discovered that by intercepting the communications, a hacker could ensure a 512-bit key was used, rather than a more advanced one. Researchers said it was possible for hackers to crack code in a matter of minutes.

They said: "In the 1024-bit case, we estimate that such computations are plausible given nation-state resources, and a close reading of published NSA leaks shows that the agency's attacks on VPNs [virtual private networks] are consistent with having achieved such a break."

Cybersecurity expert at the University of Surrey, Professor Alan Woodward said: "The solution is relatively simple - you disable this legacy function on your system.

"Unfortunately, some older web servers might then be prevented from starting a secure conversation with the updated web browsers as they would support only that older, shorter, weaker key lengths.

"But do you really want this backward compatibility if it means others could be forced to use this weaker form of encryption?

"Browsers can be updated and servers can be reconfigured easily, and it really is no bad thing to force this to happen bearing in mind the alternative is that a 'secure connection" could potentially be broken by an eavesdropper."

Mozilla, who is responsible for the Firefox browser, said its new software should be released within the next few days.

The organisation's cryptographic engineering manager, Richard Barnes said: "Most of the coordination in this case was done thanks to the researchers who found the bug. They provided valuable measurement data to the various browser vendors, which allowed us all to calibrate our response."

print this article

Return to internet news headlines
View Internet News Archive

Share with: