Welcome to WebmasterWorld Guest from 18.104.22.168
Forum Moderators: phranque
Tens of thousands of HTTPS-protected websites, mail servers, and other widely used Internet services are vulnerable to a new attack that lets eavesdroppers read and modify data passing through encrypted connections, a team of computer scientists has found.
The vulnerability affects an estimated 8.4 percent of the top one million websites and a slightly bigger percentage of mail servers populating the IPv4 address space, the researchers said. The threat stems from a flaw in the transport layer security protocol that websites and mail servers use to establish encrypted connections with end users. The new attack, which its creators have dubbed Logjam, can be exploited against a subset of servers that support the widely used Diffie-Hellman key exchange, which allows two parties that have never met before to negotiate a secret key even though they're communicating over an unsecured, public channel. LogJam Encryption Algo May Block Thousands of HTTPS Sites [arstechnica.com]
...only Internet Explorer has been updated to protect end users against Logjam attacks. The researchers said they have been working with developers of major browsers and that Chrome, Firefox, and Safari are also expected to implement a fix that rejects encrypted connections unless the key material contains a minimum of 1024 bits. Updates are expected to be available in the next day or two, and possibly much sooner.