Security researchers have uncovered a major flaw in TLS which could allow Man in the Middle attackers to downgrade vulnerable connections to an easily crackable 512-bit cryptography, putting over 80,000 of the world’s most popular HTTPS websites at risk.
The so-called “Logjam” attack is similar to the FREAK flaw found earlier this year in that it takes advantage of a '90s US government export restriction on strong encryption to allow attackers to break the secure connection between website/mail server and end user.
However, it comes from a flaw in TLS rather than an implementation vulnerability, and applies this time to servers supporting the Diffie-Hellman key exchange rather than RSA.
If successful, attackers would be able to read and modify any data passed over an affected connection.
According to the research note, it affects any server that supports DHE_EXPORT ciphers and all modern web browsers. An initial scan indicates that 8.4% of the top one million HTTPS domains are affected, and 3.4% of the top one million HTTPS browser trusted sites.
Researchers explained more:
"Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections."
This means attackers with access to a large amount of compute power could even break stronger versions of encryption using the same algorithm.
“A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break,” the note said.
Internet Explorer has already been updated to protect against Logjam and the research team is working with other major browser vendors to do the same.
Mail and web server operators were urged to “disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group” as per these instructions.
A detailed technical paper can be found here.
James Maude, security engineer at Avecto, argued that the flaw shows again why failing to remove outdated technologies undermines efforts to improve security.
“We can not predict the future so the best option is to be as secure as technology allows. Organizations should not only be looking at what to add but what to remove as part of a strong patch management and update process,” he added.
“Ultimately, security is a journey, not a destination and all aspects need to continuously evolve as we move forward.”
NCC Group technical director, Ollie Whitehouse, argued that organizations need to be able to react with agility to such breaking threats.
“This ability should typically be underpinned by having detailed asset registers, coupled with both vulnerability management programs and strong relationships with software and equipment producers,” he said.
“However, one area where companies are likely to struggle is embedded devices. It is these that will be the long tail when it comes to ensuring a comprehensive response, due to slow or inadequate vendor security sustainment processes."