Ask The Cyber Security Expert: How scary is Logjam?
Logjam is the latest high profile security vulnerability to be given its own name (a la shellshock and heartbleed). You can read about it here.
Now, whilst this certainly isn’t good I don’t think it quite as terrible as the headline makes out. In essence this is an issue that stems from US export controls in the 1990s. This forced developers of encryption to include deliberately weak modes of operation, which were at the time judged to be sufficient to protect users from criminals and the like, but within the capabilities of the US to crack. A lot of time has passed, and the computing power to break the weaker modes of encryption are now well within the capabilities of non-state actors. Whilst the US now has less restrictive controls on encryption export, and typical encryption used to protect network traffic is extremely strong, these weakened modes of operation continue to exist in some software.
When you connect to a website that offers an encrypted connection the first thing that happens is your browser and the website agree what encryption they will use, and how strong it will be. They should settle on the strongest form of encryption that both sides are capable of using. However if an attacker can interfere with this negotiation phase it is possible for them to convince your browser and the web server to use the deliberately weakened encryption modes from the 1990s, if both still support it. Sadly, nearly all browsers and a large number of servers will still do so.
How worried should I be?
For an attacker to exploit this they need to get between you and the server your connecting to, and to interfere with your connection to deliberately downgrade your connection. The researchers give proof of concepts of these attacks here. Whilst this is relatively hard to do, it is clearly possible. Also when vulnerabilities like this are announced, tools which make it easy for hackers to exploit them follow quickly.
Software fixes preventing browsers being vulnerable to this will be released soon (currently the latest versions of Internet Explorer are the only browsers not vulnerable). In the meantime, make it hard for attackers to capture your traffic by avoiding using free public wifi, where it is easy (really really easy!) for someone to interfere with your traffic. If you use a VPN service to protect yourself on wifi, check with your service provider (or your company if it’s a corporate service) to see if it is vulnerable to this attack.
If you run web servers, or any services that use encrypted connections, you should ensure they don’t support the export grade encryption, and make the necessary changes, described here. That page also lets you test web servers for this weakness.
In summary; not great news, but the sky is not falling in. Only a relatively small percentage of servers on the internet are affected, and there is a tool to test them. Browser fixes will come soon, and in the meantime avoid connecting to vulnerable websites and services over public wifi or other untrusted networks.
As always, if you have questions please get in touch! Find us on twitter, or use the contact form.
The Cyber Security Expert