Overview of Logjam
On May 20, 2015, a team of researchers announced a new vulnerability in the protocol that allows web servers to establish secure (HTTPS) connections to web browsers. Calling this exploit the Logjam Attack, the team of computer scientists and security specialists from multiple universities and technology companies demonstrated how a man-in-the-middle attacker could downgrade a vulnerable TLS connection to use an encryption cipher that is “relatively easily” broken. This attack is the latest in a series of cipher downgrade attacks, such as FREAK and POODLE, that target implementations of the HTTPS protocol.
Photo: Sharon Mollerus / licensed under CC BY 2.0
SSL/TLS Overview
To understand how this attack works, it might be helpful to review how TLS (Transport Layer Security, though this protocol is often still referenced by its predecessor’s initialism, SSL, Secure Sockets Layer) protects an HTTPS connection. When a web browser requests a webpage via an HTTPS connection, the host server will first offer its certificate to authenticate its identity, which uses asymmetric cryptography within the public key infrastructure. Once authenticated, the server then enters into a negotiation with the client browser over which cipher suite they will use for the connection. In most cases, they will use the most robust cipher suite they can agree upon. When they determine the encryption algorithm, they then negotiate their shared secret key via a process called the Diffie-Hellman Key Exchange.
Diffie-Hellman Key Exchange
The Diffie-Hellman Key Exchange allows for the secure generation of a new shared key between parties to happen over an insecure medium. The larger the bit-length of the Diffie-Hellman group, the more resilient it is to being cracked by a brute force attack. Groups of 1024 bits are in wide use, though the researchers who discovered the Logjam vulnerability posit that state-sponsored actors are within reach to crack the encryption of this strength. The Logjam vulnerability is exploited by forcing the two parties to downgrade the Diffie-Hellman group to a 512-bit group, which can be cracked in minutes.
How Concerned Should We Be?
Exploiting the Logjam vulnerability requires an attacker to occupy a man-in-the-middle position. In other words, an attacker would need to access the same network as the client, server, or any ISP in between. This access, which includes most wired connections, is generally walled off most garden-variety snoopers. If you access the Internet via an open public wi-fi access point, then you might have cause for concern, whether from an exploit of this vulnerability or a host of others. In that case, your best bet is to utilize a VPN (if you are concerned about security, then this is a prudent strategy in any case).
If an attacker can pull off this exploit, it’s only the first step. It still requires that the attacker access a device with significant computational power to decrypt any intercepted and downgraded encrypted traffic successfully. As such, it’s not the most straightforward trick to execute, so it’s probably not a vulnerability that one should lose too much sleepover. However, a vulnerability is a vulnerability, so the sooner patched, the sooner you can knock it off the list of things to worry about.
What To Do To Protect Yourself
As of the release of the news of this discovery, only the latest version of Internet Explorer has been patched for this exploit (it should be noted that one of the researchers on this team works for Microsoft Research). Mozilla, Google, and Apple have announced that they are working on patches for their respective browsers, Firefox, Chrome, and Safari. When those patches are released, you should update your browser to those versions to enable protection from this vulnerability. In the meantime, though, if you are concerned about your exposure to this sort of attack, you might want to stick to IE for your secure browsing.
Suppose you administer a web or email server. In that case, you can mitigate your vulnerability by removing the list of cipher suites export suites (old, intentionally weakened ciphers that were once the only encryption technology allowed to be exported outside the United States). The group who discovered this exploit also recommended the usage of Elliptic Curve Diffie-Hellman, Ephemeral (ECDHE) as preferred ciphers for their resilience to all known cryptographic attacks. See their site where you can test your server and get guidance on making these configuration changes.
Atlantic.Net’s world-class VPS hosting solutions and technical staff work around the clock, ensuring that our customers’ data is secure and private. Please feel free to contact our staff and check our community and blog pages for any further updates.
Learn more about our VPS hosting services and VPS hosting price.