Another Major Security Flaw (Website Encryption Technology) Called Logjam

A new report came out  https://weakdh.org/imperfect-forward-secrecy.pdf

imperfectforwardsecrecy

 

 

The group of researchers created a website to explain their findings: The Logjam Attack (https://weakdh.org)

It looks like they also did a scan of the Internet (this is typical of security researchers using zmap.io) and found over 8.4% of Top1 million domains were at risk. This means 84,000 websites are at risk.

There are more websites that could be at risk if the 1024 bit group is broken 17.9% of top1 million domains. (179,000).

I suspect there are many more websites vulnerable to this potential attack, I believe that the hackers are busy right now trying to use this new attack method to attack specific websites that there was no way to attack before.

The researchers have developed a test to test your own server:

https://weakdh.org/sysadmin.html

 

In this link there are 3 Steps to accomplish a fix on your site (deploying Diffie-Hellman for TLS)

1. disable Export Cipher Suites

2. Deploy (Ephemeral) elliptic-Curve Diffie-hellman(ECDHE)

3. Generate a Strong, Unique Diffie Hellman Group (at least 2048bit or stronger. using a safe prime.

 

 

So to summarize:

If you have a https (encrypted website) on your webserver please review the details of your cryptographic Cipher technique. If needed please change to 2048bit or higher Diffie-Hellman Group.

logjam-whoisaffected(from the weakdh.org website)

Here is a wiki on openssl.org:  https://wiki.openssl.org/index.php/Diffie_Hellman  that describes the different methods of Diffie-Hellman (which has to do with generating the key for the cryptographic exchange between the 2 systems)

Ephemeral Diffie-Hellman uses temporary, public keys. Each instance or run of the protocol uses a different public key. The authenticity of the server’s temporary key can be verified by checking the signature on the key. Because the public keys are temporary, a compromise of the server’s long term signing key does not jeopardize the privacy of past sessions. This is known as Perfect Forward Secrecy (PFS).

 

If you are interested in these kinds of details there are many sites to educate on this topic including this one: http://internetokracy.appspot.com/crypto1 by Richard Schwartz.

 

 

(I am going to leave this post the top post for Thursday the 21st of May as well since it is an important topic to wrap your mind around it.

 

If you need help in deciding if your website is susceptible to this attack concept please contact us

Or Just help us in educating the Internet and Tip Us 🙂  (tipJar on right column)

(Updated a few lines May21st to make the blogpost cleaner)

 

 

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.