A vulnerability has been discovered in a cryptographic algorithm used by tens of thousands of web servers to create secure TLS connections with browsers. As I write, almost nine percent of the web servers in the Alexa Top 1 million sites are vulnerable, as are a huge number of mail servers.
The best way to mitigate the risk of attack is to ensure that you’re running the latest version of your browser. If you’re a server administrator, you should ensure that your server does not support export cipher suites and upgrade OpenSSL and other TLS libraries to their most recent version.
The Logjam vulnerability, which was discovered by a team of computer scientists, leverages a deliberate weakening of security to crack HTTPS connections. In the 90s, it was decided by the US Government that the export of strong encryption was likely to prove dangerous, and, so that they could break the encryption of foreign entities, the only encryption algorithms that were licensed for export were very compared to today’s standards.
We’ve since moved on from that sort of thinking, but many web servers and email servers still support the export protocols. Usually, that isn’t a problem, because browsers also support stronger protocols and will request the stronger encryption where available, making most encrypted sessions perfectly safe.
But most popular browsers, including Google Chrome, Firefox, and Safari, have a vulnerability that allows them to be forced to request the export protocols. If the servers support the weak Diffie-Hellman Exchange export protocol (DHE_EXPORT), attackers can use the browser vulnerability to downgrade the connection so it uses 512 bit export-grade cryptography. Man-in-the-middle attackers watching the connection can then decrypt, read, and modify data as it moves between server and browser.
It appears that recent versions of Internet Explorer have already been patched, and fixes are on the way for other browsers, but the best way to mitigate the risk of Logjam is to ensure that web servers no longer support export-grade encryption. There is no excuse for web service providers and site owners to support the older protocols. The proportion of web clients (browsers) that can’t use modern encryption protocols is vanishingly small and legacy support simply isn’t worth the risk.
If you are curious whether your browser is vulnerable, the researchers created an information site with more details about Logjam. It includes a test that will check your browser. The page also includes instructions for site owners, hosting companies, and server administrators for removing the vulnerability.
The researchers also published a detailed academic paper that goes into depth about the causes of Logjam.