It doesn’t seem like it was 2 minutes ago since I was last writing about an SSL vulnerability which is aimed at the weak encryption side of things, unfortunately it’s that time again, and this time it’s a vulnerability called Logjam.
Logjam is based upon a Man-in-the-middle attack (MitM) which allows the downgrading of encrypted connections (SSL/TLS) between the user and server to the weaker 512-bit key which can then be easily decrypted in minimal time. The server can be anything that has a SSL certificate against it, so web, email or even an FTP server to name a few.
Logjam was discovered a few months ago by Matthew Green and the security experts from the University of Michigan, this vulnerability works in a similar way to the FREAK vulnerability which was exposed a few months ago, there is a technical report which details how the downgrading of encryption works. The article can be found here: https://weakdh.org/imperfect-forward-secrecy.pdf
So what does this mean to me? Basically it means that anyone who exploits the connection is able to decode your “secure” traffic and read what is being sent/received through the internet. However it’s not as easy as that, the attacker must be on the same network as your traffic in order to intercept your date, so the possibility of disclosure it reduced.
I’m not saying that you should ignore this and think everything is safe, but you should not lose too much sleep over it thinking it’s going to destroy your website either.
What can I do to protect myself from Logjam?
For Windows machines, Microsoft issued a patch for this issue on the 12th May with the security bulletin MS15-055, anyone that has automatic updates enabled will receive this update and be protected from this vulnerability.
If you are using Chrome for all of your web browsing, Google has added protection against this vulnerability from Chrome version 42, update to the latest version to protect yourself.
Finally ensure that your severs are patched up to date, that any software you use that uses SSL/OpenSSL etc is patched and doesn’t rely upon the older encryption technologies.
I hope this serves as a reminder to keep your software and systems up to date.