The Logjam Vulnerability


Photo: Sharon Mollerus / licensed under CC BY 2.0

Overview of Logjam

On May 20, 2015, a team of researchers announced a new vulnerability in the protocol that allows web servers to establish secure (HTTPS) connections to web browsers. Calling this exploit the Logjam Attack, the team, made up of computer scientists and security specialists from multiple universities and technology companies, demonstrated how it is possible for a man-in-the-middle attacker to downgrade a vulnerable TLS connection to use an encryption cipher which is “relatively easily” broken. This attack is the latest in a series of cipher downgrade attacks, such as FREAK and POODLE, that target implementations of the HTTPS protocol.

SSL/TLS Overview

To understand how this attack works, it might be helpful to review how TLS (Transport Layer Security, though this protocol is often still referenced by its predecessor’s initialism, SSL, Secure Sockets Layer) protects an HTTPS connection. When a web browser requests a webpage via an HTTPS connection, the host server will first offer its certificate to authenticate its identity, which uses the asymmetric cryptography within the public key infrastructure. Once authenticated, the server then enters into a negotiation with the client browser over which cipher suite they will use for the connection. In most cases, they will use the strongest cipher suite they are able to agree upon. When they determine the encryption algorithm, they then negotiate their shared secret key via a process called the Diffie-Hellman Key Exchange.

Diffie-Hellman Key Exchange

The Diffie-Hellman Key Exchange allows for the secure generation of a new shared key between parties to happen over an insecure medium. The larger the bit-length of the Diffie-Hellman group, the more resilient it is to being cracked by a brute force attack. Groups of 1024 bits are in wide use, though the researchers who discovered the Logjam vulnerability posit that it is within the reach of state-sponsored actors to crack encryption of this strength. The Logjam vulnerability is exploited by forcing the two parties to downgrade the Diffie-Hellman group to a 512-bit group, which can be cracked in minutes.

How Concerned Should We Be?

Exploiting the Logjam vulnerability requires an attacker to be able to occupy a man-in-the-middle position. In other words, an attacker would need to be able to access the same network as the client, server, or any ISP in between. This access, which includes most wired connections, is generally walled off from most garden-variety snoopers. If you access the Internet via an open public wi-fi access point, then you might have cause for concern, whether from an exploit of this vulnerability or a host of others. In that case, your best bet is to utilize a VPN (if you are concerned about security, then this a prudent strategy in any case).

If an attacker is able to pull off this exploit, it’s only the first step. It still requires that attacker to have access to a device with significant computational power to successfully decrypt any intercepted and downgraded encrypted traffic. As such, it’s not the simplest trick to execute, so it’s probably not a vulnerability that one should lose too much sleep over. However, a vulnerability is a vulnerability, so the sooner patched, the sooner you can knock it off the list of things to worry about.

What To Do To Protect Yourself

As of the release of the news of this discovery, only the latest version of Internet Explorer has been patched for this exploit (it should be noted that one of the researchers on this team works for Microsoft Research). Mozilla, Google, and Apple have announced that they are working on patches for their respective browsers, Firefox, Chrome, and Safari. When those patches are released, you should update your browser to those versions to enable protection from this vulnerability. In the meantime, though, if you are concerned about your exposure to this sort of attack, you might want to stick to IE for your secure browsing.

If you administer a web or email server, you can mitigate your vulnerability by removing from your cloud server the list of cipher suites export suites (old, intentionally weakened ciphers that were once the only encryption technology allowed to be exported outside the United States). The group who discovered this exploit also recommend the usage of Elliptic Curve Diffie-Hellman, Ephemeral (ECDHE) as preferred ciphers for their resilience to all known cryptographic attacks. See their site where you can test your server and get guidance on how to make these configuration changes.

Atlantic.Net’s world class cloud hosting solutions and technical staff work around the clock making sure that our customers data is secure and private.   Please feel free to contact our staff and check our community and blog pages for any further updates.