Another HTTPS Vulnerability Rattles The Internet

Written by Eric Griffith in Free Software on 20 May 2015 at 09:04 AM EDT. 14 Comments
FREE SOFTWARE
Another HTTPS vulnerability has started to make its rounds earlier this morning. Dubbed Logjam by its researchers, the vulnerability stems from the US's encryption export mandate back in the 1990s. This particular vulnerability, in the transport-layer security layer protocol, breaks the Diffie-Hellman perfect forward-secrecy. Susceptibility to the vulnerability is depended on servers and clients supporting the DHE_EXPORT encryption scheme, or using a key less-than-or-equal to 1024 bits.

As of today only Internet Explorer has been updated to protect against Logjam, with fixes from Chrome, Firefox and Safari thought to be coming in the next few days.

The Logjam vulnerability is capable of breaking encryption to HTTPS supported websites, E-mail servers supporting SMTP with StartTLS, secure POP3, and IMAP. Additionally the researchers believe that 66 percent of VPN servers, and 26 percent of SSH servers are susceptible to passive eavesdropping. It is believed that this attack is already being used out in the wild by at least one state agency.

More information on the vulnerability can be found on a website that the developers have set up. They also include step by step instructions for server administrators to help sure they are not vulnerable. Additionally, the step by step includes a "Test A Server" function to make sure servers you care about are not vulnerable. Phoronix is not susceptible. Additional SSL configuration checking can be performed via SSL Labs.
Related News
Popular News This Week