Earlier this year, security researchers announced the discovery of the "FREAK" vulnerability that allowed attackers to downgrade TLS connections to weaker export crypto. Recently, researchers from INRIA, Microsoft, Johns Hopkin's, the University of Michigan and the University of Pennsylvania found a similar flaw.
The newly published vulnerability allows attackers to downgrade the DHE key exchange protocol to a weaker 512-bit key size that can be broken within minutes. They called this flaw the "Logjam", which is a play on the "discrete log" problem and the fact that many companies continue to use "dead wood" crypto in their software.
Export encryption was mandated by the U.S. government in the 1990s so foreigners could only use encryption that could be broken by the government's intelligence agencies. Since then, the EFF, together with some cryptographers, won some lawsuits against this policy which forced the U.S. government to eliminate its encryption restrictions.
However, many servers and browsers still allow the use of export crypto, which means they leave the opportunity to attackers to downgrade the connections to those much weaker protocols.
According to the researchers who found the flaw, 8.4 percent of the top 1 million websites are vulnerable. However, up to 66 percent of the VPN servers can be vulnerable to eavesdropping by nation-states if they use a DHE key exchange with a key that is 1024-bit or smaller.
Browser vendors such as Google and Mozilla have already announced that they will send a patch to their browsers to make 1024-bit the minimum key size that they will accept for HTTPS connections. However, this is merely a compromise on the level of security that they are willing to accept from websites. It is not a complete fix, nor should it be treated as one.
Only server admins themselves will be able to completely fix this problem, by either switching to the Elliptic Curve DHE (ECDHE) protocol, which also provides Perfect Forward Secrecy, or by starting to use 2048-bit key sizes for DHE.
Even though browser vendors will still allow 1024-bit DHE because raising the bar any higher would mean breaking too many websites, that key size can be broken by intelligence agencies such as the NSA. In fact, the researchers concluded that previous Snowden revelations have hinted that this is the vulnerability the NSA uses to break most VPN connections.
Although not quite at the level of Heartbleed in terms of how dangerous this flaw is, because it still needs some computation power for decryption whereas Heartbleed didn't, Logjam is a serious vulnerability that affects tens of thousands of websites. The White House has promised before that it's the government's policy to disclose the vast majority of vulnerabilities to vendors. However, in this case that doesn't seem to have happened, if what the researchers say is true, which calls into question whether the White House is more committed to surveillance than cybersecurity.
Qualsys, the creator of the SSL Labs service that grades websites based on how secure their protocols are, reached out to Tom's Hardware to let website owners know that its recommendations for server configurations would have protected them against the Logjam vulnerability.
"LogJam, the new attack on weak Diffie-Hellman (DH) parameters is yet another reminder that supporting obsolete cryptography is never a good idea. Even though TLS provides a negotiation mechanism that should in theory enable modern clients to communicate using only strong security, in practice there are ways to abuse either the clients or the protocol and perform downgrade attacks.
Diffie-Hellman key exchange strength is a relatively obscure aspect of TLS protocol configuration. Until recently, most web servers didn't even have an ability to tune this setting, and some servers don't even today. That wouldn't be a problem, except that most servers default to insecure values. SSL Labs started highlighting servers with weak DH parameters some years ago in an effort to raise awareness of this issue.
LogJam affects only incorrectly configured SSL/TLS servers. Those who have followed best practices (e.g., the SSL/TLS Deployment Best Practices from SSL Labs) aren't using any of the vulnerable cryptography and need not make any changes to mitigate LogJam. In addition, for performance reasons, well-tuned sites prefer key exchanges based on Elliptic Curve cryptography, avoiding problems with DH altogether. In SSL Labs, servers vulnerable to the LogJam attacks are graded as F; no changes were made specifically for this attack."
The researchers who discovered the Logjam flaw have also prepared a guide on how to properly deploy DHE on a server.