A new and critical vulnerability uncovered by security researchers would allow an attacker to intercept and decrypt secured communications exchanged between users and thousands of web sites and mail servers worldwide.
The vulnerability, dubbed "Logjam," affects what's known as the Transport Layer Security protocol that web sites, VPN servers and mail servers use to encrypt traffic. It would allow an attacker sitting between a user and a vulnerable server to lower that encryption to a level more easily cracked. The researchers, an international group composed of academics and non-academics in France and the U.S., found the flaw affects at least 8.4 percent of the top one million web domains, about the same number of mail servers, and every modern web browser.
To conduct an attack, an adversary would need to be on the same network as the user---such as a WiFi network.
The vulnerability, which follows in the wake of other serious infrastructure vulnerabilities like Heartbleed and FREAK, has existed since the 1990s but was only recently uncovered. According to the researchers, the flaw easily could have been used by the NSA to crack secured VPN connections.
"A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break," the researchers write in a blog post about the flaw.
The flaw affects any server that supports what's known as DHE_EXPORT ciphers to encrypt traffic. DHE refers to the Diffie-Hellman algorithm, which is used by a browser and server to agree on a shared secret key and negotiate a secure connection for communication. The Diffie-Hellman method was until now considered highly secure because the key is not static, it can be refreshed or changed. To eavesdrop on such traffic, an attacker must determine each new key. But the Logjam flaw would allow an attacker to downgrade the encryption to a level that can be easily cracked.
The Diffie-Hellman algorithm, in order to be secure, would use 2048-bit prime numbers to generate the keys. But the flaw would downgrade this to force the server and browser to use only 512-bit primes to generate the keys.
Using equipment in their own labs they were able to crack encryption using 768-bit primes and believe that intelligence agencies like the NSA, with more resources, would easily be able to crack 1024-bit primes.
The flaw exists because the US government, in the 1990s, established export requirements that prevented developers from exporting high-grade levels of crypto. They could offer only lower levels of protection abroad. As a result, web servers in the US and around the world must support the weaker encryption to facilitate communication with those users. The flaw works on any server that still supports the export-grade version of Diffie-Hellman that uses 512-bit primes to generate keys.
The security hole is being touted as severe, but others are cautioning that its use is limited.
"It’s one of those threats that’s important and we should pay attention to it," says Rob Graham, CEO of Errata Security. "But we shouldn’t panic about it. It’s [affecting] a limited number of web sites and can only be used by a man-in-the-middle attack. It also needs a fair amount of resources to do the attack. So the teenager at Starbucks is not going to use this to attack you; the only threat would be the NSA."
Graham agrees with the researchers that there is "a good chance the NSA has used this" to crack VPN connections. "This is the sort of thing they would do, but it’s pure speculation."
Some of the researchers who uncovered the flaw were also responsible for uncovering the FREAK vulnerability disclosed earlier this year, which also affected the Transport Layer Security protocol.
The researchers include computer scientists at the Inria Nancy-Grand Est and Inria Paris-Rocquencourt research institutes in France, as well as analysts with Microsoft Research, and academics at Johns Hopkins University, University of Michigan, and the University of Pennsylvania.
The researchers worked with a number of web site administrators before announcing the flaw Tuesday night so they might remove support of the Diffie-Hellman export ciphers. Microsoft patched the vulnerability in Internet Explorer browsers last week. Patches for Chrome, Firefox and Safari are in development.
