November 28, 2020

Security and Privacy: Another Massive HTTPS Encryption Attack is a Threat to Most Web Users

This new encryption attack has been named “Logjam.”

From ars technica:

Tens of thousands of HTTPS-protected websites, mail servers, and other widely used Internet services are vulnerable to a new attack that lets eavesdroppers read and modify data passing through encrypted connections, a team of computer scientists has found.

[Clip]

“Logjam shows us once again why it’s a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for,” J. Alex Halderman, one of the scientists behind the research, wrote in an e-mail to Ars. “That’s exactly what the US did in the 1990s with crypto export restrictions, and today that backdoor is wide open, threatening the security of a large part of the Web.”

[Clip]

According to this informational site established by the researchers, only Internet Explorer has been updated to protect end users against Logjam attacks. The researchers said they have been working with developers of major browsers and that Chrome, Firefox, and Safari are also expected to implement a fix that rejects encrypted connections unless the key material contains a minimum of 1024 bits. Updates are expected to be available in the next day or two, and possibly much sooner. Information on vulnerable end-user e-mail programs wasn’t available at the time this post was being prepared.

Read the Complete ars technica Report

More From Freedom Hacker:

…the Logjam explanation reads, a flaw researched by a group of experts from Johns Hopkins University, Microsoft and the University of Michigan among other locations.

Logjam is a severe vulnerability for a number of reasons, including:

  • Logjam allows potential attackers to trick web browsers into thinking the export key version is the regular key.
  • A majority of systems reuse the same large numbers to generate keys, now making it faster and easier for attackers to crack.
  • LogJam vulnerability has been present for over 20 years, affecting HTTPS, SMTPS, SSH, IPsec among other protocols that rely on TLS.

Read the Complete Freedom Hacker Report

Direct to The Logjam Attack Info Page

About Gary Price

Gary Price (gprice@mediasourceinc.com) is a librarian, writer, consultant, and frequent conference speaker based in the Washington D.C. metro area. Before launching INFOdocket, Price and Shirl Kennedy were the founders and senior editors at ResourceShelf and DocuTicker for 10 years. From 2006-2009 he was Director of Online Information Services at Ask.com, and is currently a contributing editor at Search Engine Land.

Share