LogJam leaves browsers vulnerable to MiTM attack

Researchers have discovered a new security flaw that could affect tens of thousands of HTTPS websites, mail servers and other services by allowing attackers to downgrade the Transport Layer Security (TLS) connections to 512-bit export-grade cryptography to crack that connection and read any data being transmitted.

Dubbed LogJam, researchers from Microsoft, John Hopkins University, University of Michigan, University of Pennsylvania and the Inria Nancy-Grand Est research in France, discovered the flaw some months ago, and have subsequently informed browser makers about the issue, who are currently patching.

The research team has published a technical paper (pdf) and built a useful microsite, which sheds more light on the issue, as well as how to address the problem.

Services reliant on the Diffie-Hellman key exchange algorithm could potentially be vulnerable. The flaw in the TLS protocol affects thousands of web and email servers, as well as VPNs.

The Diffie-Hellman key exchange is a popular cryptographic algorithm used in several internet protocols that rely on TLS, as well as HTTPS, SSH, IPsec and SMTPs. Put simply, it agrees on a shared key for a secure web connection.

However, US export rules dating back from the 1990s stipulated that TLS connections should support weakened, “export-grade” 512-bit encryption, which some sceptics say was put in place with the NSA in mind.

This weakened encryption could be easily cracked by criminals and nation-states to read encrypted web connections over web, email or VPN. In this research, it has been suggested that academics could break 768-bit encryption, with nation-states able to crack 1024-bit.

Breaking the latter, said the researchers, would enable passive eavesdropping on almost a fifth (18 percent) of the top million HTTPS domains.

More generally, the flaw affects any server supporting the DHE-EXPORT ciphers, which is used by all modern web browsers, as well as POP3S and IMAPS email servers.

“To comply with 1990s-era US export restrictions on cryptography, SSL 3.0 and TLS 1.0 supported reduced-strength DHE_EXPORT cipher suites that were restricted to primes no longer than 512 bits”, the academic paper from the researchers notes.

This attack isn't without pitfalls, though, with John Hopkins crypto researcher Matthew Green, saying that the attacker would need to be on the same network as the victim. He also speculated that NSA might have used this flaw to target VPN connections.

There is also good news in that those who have already patched their software to fix FREAK will not be vulnerable, as those fixes removed the ability for software to run weaker export-grade ciphers. Browser makers, however, didn't do this at the time, seemingly down to concerns that a handful of websites are still using 512-bit keys.

Experts encourage system and web administrators to disable export-grade cipher suites and generate a new unique 2048-bit DH key group. 

In addition, they are also urged to look out for browser updates, with developers also told to use the latest libraries and reject Diffie-Hellman groups shorter than 1024 bits. 

Google, Mozilla and Apple are all set to deploy patches, with Microsoft already having done so for Internet Explorer.