Welcome to WebmasterWorld Guest from 54.211.135.32

Forum Moderators: phranque

Message Too Old, No Replies

LogJam Encryption Algo May Block Thousands of HTTPS Sites

     
11:34 am on May 21, 2015 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:26174
votes: 960


Yet another potential problem for webmasters with encrypted sites! Most users won't realise what the problem is when they can't get to a site. Hopefully, the browser fix comes through quickly, but, we can't know about all those with out-of-date browsers.


Tens of thousands of HTTPS-protected websites, mail servers, and other widely used Internet services are vulnerable to a new attack that lets eavesdroppers read and modify data passing through encrypted connections, a team of computer scientists has found.

The vulnerability affects an estimated 8.4 percent of the top one million websites and a slightly bigger percentage of mail servers populating the IPv4 address space, the researchers said. The threat stems from a flaw in the transport layer security protocol that websites and mail servers use to establish encrypted connections with end users. The new attack, which its creators have dubbed Logjam, can be exploited against a subset of servers that support the widely used Diffie-Hellman key exchange, which allows two parties that have never met before to negotiate a secret key even though they're communicating over an unsecured, public channel. LogJam Encryption Algo May Block Thousands of HTTPS Sites [arstechnica.com]
...only Internet Explorer has been updated to protect end users against Logjam attacks. The researchers said they have been working with developers of major browsers and that Chrome, Firefox, and Safari are also expected to implement a fix that rejects encrypted connections unless the key material contains a minimum of 1024 bits. Updates are expected to be available in the next day or two, and possibly much sooner.
7:51 pm on May 21, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member fathom is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 5, 2002
posts: 4110
votes: 109


Haven't jumped on this band wagon yet. But that was due to procrastination and not being insightful.
9:45 pm on May 21, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 5, 2002
posts: 1864
votes: 5


Is there a reputable site that can check your site for vulnerability?
2:51 am on May 22, 2015 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 25, 2011
posts:51
votes: 0


@Tonearm

[tools.keycdn.com...]

[ssllabs.com...]
3:56 pm on May 22, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 5, 2002
posts: 1864
votes: 5


mrtonyg, thank you but do you know which of the ssllabs checks is the one that checks logjam? I'd like to be able to verify that I'm OK there.
10:02 pm on May 22, 2015 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 25, 2011
posts:51
votes: 0


@Tonearm the first link will tell you outright if the server is vulnerable or not.

I believe ssllabs just states something along the lines of:
"This server supports weak Diffie-Hellman (DH) key exchange parameters."


Edit: Here is another site that will check for logjam issues:
[weakdh.org...]
10:39 pm on May 22, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 5, 2002
posts: 1864
votes: 5


Any idea why my server would already be immune to this? I'm surprised since it's a newly discovered vulnerability.
10:47 pm on May 22, 2015 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 25, 2011
posts:51
votes: 0


The vulnerability does not affect all sites...only those that are running weak ciphers with TLS.
10:53 pm on May 22, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 5, 2002
posts: 1864
votes: 5


I'm just not sure why I would have disabled those weak ciphers previously since it's a new vulnerability.
10:59 pm on May 22, 2015 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 25, 2011
posts:51
votes: 0


We'll that's good, you set up the server with strong encryption.
If those three sites agree then you are good to go!