Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Logjam' Vulnerability Threatens Encrypted Connections

Posted by Soulskill on from the another-day-another-vulnerability dept.

An anonymous reader writes: A team of security researchers has revealed a new encryption vulnerability called 'Logjam,' which is the result of a flaw in the TLS protocol used to create encrypted connections. It affects servers supporting the Diffie-Hellman key exchange, and it's caused by export restrictions mandated by the U.S. government during the Clinton administration. "Attackers with the ability to monitor the connection between an end user and a Diffie-Hellman-enabled server that supports the export cipher can inject a special payload into the traffic that downgrades encrypted connections to use extremely weak 512-bit key material. Using precomputed data prepared ahead of time, the attackers can then deduce the encryption key negotiated between the two parties."

Internet Explorer is the only browser yet updated to block such an attack — patches for Chrome, Firefox, and Safari are expected soon. The researchers add, "Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break." Here is their full technical report (PDF).

71 comments

  1. Internet Explorer is the only browser yet updated by Anonymous Coward · · Score: 1

    Really? The online JS test tells me my Iceweasel 38.0.1 isn't vulnerable.

    "Good News! Your browser is safe against the Logjam attack. "

  2. Root cause = speed over security by xxxJonBoyxxx · · Score: 4, Insightful

    From TFA: "Generating primes with special properties can be computationally burdensome, so many implementations use fixed or standardized Diffie-Hellman parameters. "

    Yeesh.

    1. Re:Root cause = speed over security by Anonymous Coward · · Score: 0

      Trying to support as many connections over as few servers as possible is often the cause of many tradeoffs... usually ignoring the fact that you start throwing out babies with the bathwater.

    2. Re:Root cause = speed over security by Anonymous Coward · · Score: 0

      This is totally fixable too. During install you say 'here use the defaults but in the background I am going to make you some new ones but it will take some CPU usage to do so y/n (y)?' Then in the background feed the cryptic commands to the right thing.

      It is literally an install problem.

    3. Re:Root cause = speed over security by dwheeler · · Score: 2

      Don't even ask. On the initial start-up, start calculating those new keys. You want the DEFAULT to be secure.

      --
      - David A. Wheeler (see my Secure Programming HOWTO)
    4. Re:Root cause = speed over security by sexconker · · Score: 2

      The root cause is people shouting "Don't roll your own crypto!" and scaring people away from using anything but the bog-standard, NSA-approved shit.

    5. Re:Root cause = speed over security by Anonymous Coward · · Score: 0

      Don't roll your own.

      Re-roll the existing stuff to customize it.

      And for initiative. Duh.

    6. Re:Root cause = speed over security by Dagger2 · · Score: 1

      It takes my (2009 era) machine 5-300 minutes (it varies wildly depending on how lucky you get) to generate a set of 4096-bit DH parameters. And that's actual CPU time, not "sitting around waiting for the Linux entropy pool to regenerate" time. You're going to have to make some tradeoffs here.

    7. Re:Root cause = speed over security by HiThere · · Score: 1

      OTOH, using "roll your own crypto" is nortorious for individualized holes and weaknesses. It does tend to mean that the "one size fits all" means of breaking the code won't work, however. Or at least may well not work.

      That said, if you have good enough communication to share custom crypto programs, you may be better off using a one-time pad....as that can't even theoretically be broken. But it does require a good source of random numbers (e.g. amplified triode vacum tube with no input so you're just amplifying noise). Such things are reasonably easy to build, but for some reason they aren't normal computer accessories. (Video cams watching a flickering flame are another good source.)

      But custom crypto is hard to do correctly. AND it requires good communications to standardize the programs. So if you have the communication, a one time pad is better.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    8. Re:Root cause = speed over security by Anonymous Coward · · Score: 0

      So? Do you need to generate this on a daily basis? Per connection?

      If the answer is no way, do it anyway. Better to waste time than to waste nerves when everything is going to shit because a shortcut has been taken.

    9. Re:Root cause = speed over security by Dagger2 · · Score: 1

      So... generating new DH parameters on each connection leads to connection latencies of up to a few hours, which isn't really viable?

      Also, what are you trying to protect against by regenerating the key frequently? We normally cycle RSA keys every year or two because of the risk that someone might break into the server in that time and steal the key (and we don't want the stolen key to be valid forever), but that's not an issue with DH parameters because they're public anyway.

      The other reason to regenerate frequently is to limit the window of opportunity for brute force attacks, but that doesn't make much sense either: instead of generating lots of small keys, just generate one bigger key in the first place. It'll take far less CPU time and yet still be far harder to brute force.

    10. Re:Root cause = speed over security by suutar · · Score: 1

      if they can't understand the difference between writing their own code and generating their own random numbers they're better off doing neither.

    11. Re:Root cause = speed over security by thogard · · Score: 1

      There are things that can be done and things that shouldn't. For example there is a byte table of sines in MD5 that help scramble bits. If you scramble that table at all then you have a hash that is as strong as MD5 but unique as if someone tacks on a 2^2048 extra seed. It also keeps off the shelf hardware from trying your hash.

      If you do the same thing with the DES S-boxes you can end up with a cryto that is so weak you might be able to decrypt it by inspection.

    12. Re:Root cause = speed over security by TheCarp · · Score: 2

      >The other reason to regenerate frequently is to limit the window of opportunity for brute force attacks, but that doesn't make much sense either:

      Lets not lose sight of the fact that, even doing it only once EVER, even if you then redistribute that result to every future machine you build, is already far better than the status quo.

      The current standard appears to be "use the same default ones distributed to everyone else". So really even "each unique machine generates a new set once" is a massive improvement and downgrade to the usefulness of breaking any given prime.

      --
      "I opened my eyes, and everything went dark again"
    13. Re:Root cause = speed over security by Dagger2 · · Score: 1

      It is, but you'd achieve a much higher resistance to precalculation attacks just by generating and sharing a longer key in the first place -- which also has the advantage of not burning hours of CPU time on every single machine.

      Perhaps the best thing to do here would be for each system to download DH parameters (or get them from a package or whatever) at installation time, and then regularly change the parameters that are available for download. That avoids the massive generation time on each machine, but also limits the amount of machines that you share parameters with. So long as those parameters aren't tiny, that should be fine.

      Bonus points if you include a simple "make_me_my_own_dhparams" script that makes generating your own parameters trivial, but I do think we can get most of the benefit here without requiring every single install to use it.

  3. Re: Internet Explorer is the only browser yet upda by Anonymous Coward · · Score: 0

    Reading is fundamental.

  4. And that is why you do not downgrade encryption... by gweihir · · Score: 4, Informative

    At the time these utterly stupid laws were made, these ciphers where still somewhat secure against most attackers. The problem is that encryption software and parameters can stay in use for a long time.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  5. Big Question by currently_awake · · Score: 1

    Did this flaw come into existance due to lazy programmers trying to save run time, or did the NSA install this as a back door? How badly has the NSA sabotauged the border defences of the USA?

    1. Re:Big Question by FranTaylor · · Score: 1, Funny

      How badly has the NSA sabotauged the border defences of the USA?

      They have sabotauged your ability to spell!

    2. Re:Big Question by Anonymous Coward · · Score: 0

      Since this was mandated directly by the Clinton administration and not the computer industry I'm assuming it was done at the demands of the NSA or equivalent. So yes, NSA operatives are guilty of treason every time you read or hear about someone hacking into a US government computer.

    3. Re:Big Question by Anonymous Coward · · Score: 0

      Do you really have to ask that question?

    4. Re:Big Question by Anonymous Coward · · Score: 0

      No, it was France that sabotauged our ability to spell by bringing us such words as "sabotage".

    5. Re:Big Question by StikyPad · · Score: 1

      You'll shut me down with a push of your button?

      --
      https://www.eff.org/https-everywhere
    6. Re:Big Question by gizmo2199 · · Score: 1

      I'm out, and I'm gone!

      --
      This Sig does not Exist.
  6. So im guessing it doesn't fix the cable? by Anonymous Coward · · Score: 1

    oblig.

  7. downgrade attacks... by nimbius · · Score: 2

    caused by export restrictions mandated by the U.S. government during the Clinton administration.

    So this assertion arrives at one of two uncomfortable conclusions.
    1. US intelligence agencies have had the ability to exploit this for more than a decade
    2. US intelligence agencies, having understood advances in computing to be inevitable, carved a backdoor and did some wishful thinking.

    Either way the internet is starting to realize not all well-intentioned backward compatibility that also includes an unfortunate downgrade in security is done in altruistic or neutral capacity. Shell companies and paid researchers can and have in the past intentionally rendered well constructed algorythms and crypto effectively optional in the name of compatibility and their product. Ephemeral ECC for example, although cited by reseachers as a means to avoid this kind of attack, is suspect. The NIST elliptic curves have now been tainted by Snowdens revelations as well. the SSH 2 implementation of the 25519 curve, by Aris of the libssh project, attempts to address the problem of divergences in elliptic-curve cryptography by proposing a safer alternative that doesnâ(TM)t implement the mysterious constants common among other schemes.

    --
    Good people go to bed earlier.
    1. Re:downgrade attacks... by Creepy · · Score: 4, Informative

      It actually has more to do with export law - in fact, Clinton's Executive Order transferred control of encryption from the Munition List to the Commerce Control List. Prior to the Clinton updates, the maximum exportable encryption was 40 bits. Part of the reason the change got Clinton's attention is the PGP investigation, where the creator of PGP exported the computer code in a hardback book (free speech) as opposed to in a computer (munitions), allowing it to be scanned and compiled outside of the US. Also the weak foreign encryption export limits were starting to hurt US businesses (mine included at the time - we outsourced all encryption work and worldwide distribution to England, leading to about 20 US workers losing their jobs).

  8. FireFox by Anonymous Coward · · Score: 0

    Too bad FireFox doesn't update the ESR versions of the past anymore. Yeah, I think you know where I'm going with this comment. Just go ahead and mod me down as a troll. But FireFox broke functionality with certain versions, so I'm sticking with what I have.

  9. Should this effect anyone? by Anonymous Coward · · Score: 0

    I'm sure some servers use export grade ciphers, but are any servers required to anymore?

  10. How about vulnerability suck my dick? by ruir · · Score: 0, Flamebait

    The name of the article is virtually incomprehensible due to this shit. How about the original idea about saying a new TLS vulnerability? Would it be so fucking difficult? Yeah, mod me down.

    1. Re:How about vulnerability suck my dick? by Anonymous Coward · · Score: 0

      I fully agree (but no worries, I modded you down anyway, even though I don't understand why you would want that)

      Posting anonymously because see above

  11. Bunny Lebowski by Kevoco · · Score: 0

    will someday learn to live on her allowance, which is ample...

    1. Re:Bunny Lebowski by Shortguy881 · · Score: 1

      He must be here to fix the cable.

      --
      Brilliance without wisdom, power without conscience. Ours is a world of nuclear giants and ethical infants.
  12. I they are fixing hole form Clinton Administration by Anonymous Coward · · Score: 0

    It means the have 10 new holes from Obama Administration...

  13. I remember you could get a T-Shirt by Anonymous Coward · · Score: 0

    With the PGP code, which was technically a "Controlled Munition"

    Good times.

  14. I tested my browsers ... by CaptainDork · · Score: 1

    ... and here's the breakdown:

    IE and Safari test OK.

    Firefox, Chrome, and Opera fail the test.

    --

    That's on my HP desktop at home.

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:I tested my browsers ... by Anonymous Coward · · Score: 0

      I'm stuck with FireFox ESR v10. 17 and 24 are buggy. But 31 is just so terribly awful with the UI changes. Why can't FireFox just do security updates for their old ESR?

    2. Re:I tested my browsers ... by Anonymous Coward · · Score: 0

      Quit whining and patch it yourself. If you're lucky, the patch will even apply. If you're unlucky, you'll have to (gasp) actually look at the patch to see what it changed, then update your ESR release.

      Seriously, you're making it sound like firefox was closed source.

  15. Re:Certificate authorities surely? by petermgreen · · Score: 3, Informative

    There have been a couple of recent developments which attempt to fight back against the "CA coercion" vulnerability.

    One is "http key pinning", that way your browser is still trusting the public CA network for the initial connection to a site but after that it additionally checks a list of keys provided by the site (the site has the option of whether to declare trust in a CA or whether to approve individual keys). This will make it very difficult for a MITM with a coerced key to operate in secret, if the user ever uses an internet connection the MITM doesn't control and then comes back to the one controlled by the MITM then they will notice the interference.

    Another is "certificate transparency" which if enforced means a CA can't issue certs without publishing the fact they are doing so. This is a bit of a longer term goal, it will be some time if ever before clients can force this model on all CAs but again it will make it much easier to discover MITM attacks.

    --
    note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  16. Isn't this old news? by Anonymous Coward · · Score: 0

    There was an article about a month ago on /. talking about a researcher who wondered how many sites had already been patched against this vulnerability and when he started scanning, he found hundreds of thousands of hosts on the Internet that all use the exact same keys. A result of lazy router manufacturers preconfiguring them with standard keys instead of having the end user generate a new one.

  17. ...unless you rule Australia by tepples · · Score: 2

    Yet Australia wants to return to "export-grade" encryption.

    1. Re:...unless you rule Australia by gweihir · · Score: 1

      The Australians will either come to their senses of find themselves squarely in the second world in the long run. Some researchers already left the country and a lot more will be thinking about it. It will be interesting to see what will happen.

      However, if recent history is any indication, Australians like to get screwed over by their government, hence they keep voting for anti-citizen politicians. Must be some kind of collective masochism going on down under.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:...unless you rule Australia by _merlin · · Score: 1

      However, if recent history is any indication, Australians like to get screwed over by their government, hence they keep voting for anti-citizen politicians. Must be some kind of collective masochism going on down under.

      All our major political parties (Liberal/National, Labor and Green) have anti-citizen policies. Much like the US Republicrat system, while you can choose who's going to be fucking you, you'll still have to bend over.

  18. Now the Mad Men finale makes sense... by alexjplant · · Score: 1

    Don Draper is busy writing copy for these vulnerabilities. Seriously, why are pathetic neckbeards the world over so obsessed with making these cute vulnerability names and logos? Since when did a security vulnerability need branding? I guess a CVE ID is unwieldly but when will the madness end? Is the next one going to be called FailPwn1012?

    1. Re:Now the Mad Men finale makes sense... by Zaurus · · Score: 1

      Worse than branding...there doesn't seem to be a CVE assigned to this at all. Has anyone found one?

    2. Re:Now the Mad Men finale makes sense... by Anonymous Coward · · Score: 0

      CVE-2015-1716
      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1716

  19. Competitive Disadvantage by Archtech · · Score: 1

    How long before legislators and the White House understand that this kind of restrictive export law simply handicaps US researchers and corporations? Competitors from other nations such as India and Russia get a significant advantage over their opposite numbers in the, er, Land of the Free.

    --
    I am sure that there are many other solipsists out there.
  20. Logjammin by captjc · · Score: 3, Funny

    "Hello, meine dispatcher says there eez somezing wrong mit deine Encrypted Connections?"

    "Yeah, come on in. I'm not really sure exactly what's really wrong with the cable."

    "That's why they sent me, I am an expert."

    --
    Slow Down Cowboy! It's been 1 hour, 47 minutes since you last successfully posted a comment
    1. Re:Logjammin by Anonymous Coward · · Score: 0

      Beat me to it.

    2. Re:Logjammin by Anonymous Coward · · Score: 0

      https://www.youtube.com/watch?v=zZ-oafGPkqg

  21. Some explanation, and what OpenSSL is doing by rich_salz · · Score: 1

    Emilia from the OpenSSL team just published a good blog post that explains some of the "twists" of logjam, and also what OpenSSL is doing about it. It's here: http://openssl.org/blog/blog/2...

  22. Wrong on one thing by kgroombr · · Score: 1

    The Clinton Adminstration couldn't have been responsible for this cause it was Bush's fault.

  23. Primes by wonkey_monkey · · Score: 1

    Breaking the single, most common 1024-bit prime used by web servers

    Well that's silly. They should try using different primes for a start.

    --
    systemd is Roko's Basilisk.
  24. Breaking the single, most common 1024-bit prime by Anonymous Coward · · Score: 0

    > Breaking the single, most common 1024-bit prime
    What? Did we run out of primes? Why is everyone using the same prime?
    Or am I misunderstanding the summary?

    1. Re:Breaking the single, most common 1024-bit prime by andyhhp · · Score: 1

      The calculation to generate new primes is expensive (and in the past, was prohibitively so). As the prime numbers in DH are public (they are in the clear as part of the handshake), it was decided that using the same set of everything was a GoodIdea(tm).

      This is not the case in reality, as a one-off week of cloud resource provides an attacker with sufficient data to decrypt the stream in realtime.

  25. DDDDeeeeeerrr by Anonymous Coward · · Score: 0

    Math hurts my head.

    CU
    Kimberly

  26. "weapons grade encryption" by green1 · · Score: 1

    Encryption is a defensive technology, not a weapon.

    I can't see any good reason (plenty of bad ones!) for ever limiting defensive technologies. Weapons are a different matter because they can cause direct harm to others, but a shield, or armour, or encryption, are all defense only with no offensive angle. They should never be limited.

    1. Re:"weapons grade encryption" by mongothesecond · · Score: 1

      Defensive technologies also enable combatants, sometimes more than a particular offensive technology.

    2. Re:"weapons grade encryption" by green1 · · Score: 1

      But they do far more to protect the innocent than they are capable of doing to assist an enemy.

      As long as governments continue to see innocents as the enemy, we have all lost.

  27. Opportunity to detect MITM attacks? by Ungrounded+Lightning · · Score: 4, Interesting

    I skimmed the start of the paper. If I have this right:

      - Essentially all the currently-deployed web servers and modern browsers have the new, much better, encryption.
      - Many current web servers and modern browsers support talking to legacy counterparts that only have the older, "export-grade", crypto, which this attack breaks handily.
      - Such a server/browser pair can be convinced, by a man-in-the-middle who can modify traffic (or perhaps an eavesdropper-in-the-middle who can also inject forged packets) to agree to use the broken crypto - each being fooled into thinking the broken legacy method is the best that's available.
      - When this happens, the browser doesn't mention it - and indicates the connection is secure.

    Then they go on to comment that the characteristics of the NSA programs leaked by Snowden look like the NSA already had the paper's crack, or an equivalent, and have been using it regularly for years.

    But, with a browser and a web server capable of better encryption technologies, forcing them down to export-grade LEAKS INFORMATION TO THEM that they're being monitored.

    So IMHO, rather than JUST disabling the weak crypto, a nice browser feature would be the option for it to pretend it is unpatched and fooled, but put up a BIG, OBVIOUS, indication (like a watermark overlay) that the attack is happening (or it connected to an ancient, vulnerable, server):
      - If only a handful of web sites trip the alarm, either they're using obsolete servers that need upgrading, or their traffic is being monitored by NSA or other spooks.
      - If essentially ALL web sites trip the alarm, the browser user is being monitored by the NSA or other spooks.

    The "tap detector" of fictional spy adventures becomes real, at least against this attack.

    With this feature, a user under surveillance - by his country's spooks or internal security apparatus, other countries' spooks, identity thieves, corporate espionage operations, or what-have-you, could know he's being monitored, keep quiet about it, lie low for a while and/or find other channels for communication, appear to be squeaky-clean, and waste the tapper's time and resources for months.

    Meanwhile, the NSA, or any other spy operation with this capability, would risk exposure to the surveilled time it uses it. A "silent alarm" when this capability is used could do more to rein in improper general surveillance than any amount of legislation and court decisions.

    With open source browsers it should be possible to write a plugin to do this. So we need not wait for the browser maintainers to "fix the problem", and government interference with browser providers will fail. This can be done by ANYBODY with the tech savvy to build such a plugin. (Then, if they distribute it, we get into another spy-vs-spy game of "is this plugin really that function, or a sucker trap that does tapping while it purports to detect tapping?" Oops! The source is open...)

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    1. Re:Opportunity to detect MITM attacks? by Anonymous Coward · · Score: 0

      The paper also suggests that a state actor such as the NSA might plausibly have the resources to attack 1024-bit DH handshakes similarly to how they're attacking 512-bit DH. If so, this attack will not be detectable.

  28. Re:Internet Explorer is the only browser yet updat by aaarrrgggh · · Score: 1

    Mobile Safari, and the Apple Watch OS were updated yesterday.

  29. Re:This is why you should never vote democrat... by gweihir · · Score: 0

    ... or a lot worse, vote for a Republican.

    The US political system is completely screwed with only bad options left for the voters.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  30. Random observations by WaffleMonster · · Score: 1

    NSA owning VPNs is not surprising given pathetic state of VPN technology as currently deployed. Widespread use of group keys, PPTP and challenge response authentication. A tragedy of nonsense NSA would have to be negligently incompetent to not take full advantage of.

    It isn't like this is a big secret or that people don't know better. The bells have been ringing for years ... dare I say decades in some cases yet many in a position to know better simply don't care.

    What is interesting to me distance between EC and RSA in terms of relative key size vs security seems to be shrinking by quite a lot.

    Honestly I never put much stock in differences between precomputation vs having to start over.
      I know practically it makes it a lot easier to do a lot of damage but from my perspective if you have the resources to pull off something just once even if that effort can't be reused the technology has already failed.

    I have not been able to quite figure out what they meant when they said TLS is broken. I understand the part of being able to negotiate parameters with a TLS extension yet at the end of the day if you are able to break lowest common denominator crypto so bad you can compromise handshake then secure negotiation must also cease to be secure.

  31. Re: Breaking the single, most common 1024-bit prim by Anonymous Coward · · Score: 0

    There's nothing to understand; the summary is quoting confused idiots. Anyone who thinks a prime number can be "broken" doesn't know the first thing about cryptography.

  32. Re:Internet Explorer is the only browser yet updat by gizmo2199 · · Score: 1

    Android was updated... Nevermind I can't afford a new phone.

    --
    This Sig does not Exist.
  33. Re:And that is why you do not downgrade encryption by Anonymous Coward · · Score: 0

    Thanks for summarizing what was already in the summary. Have a +5 Informative.