A new attack vulnerability has been found that has ten of thousands of HTTPS-protect websites, mail servers and other internet services open to eavesdropping. There are 8.4% of the top million websites open to this vulnerability and more mail services using the IPv4 address space. The issue is found in the Diffie-Hellman key exchange, and the attack called Logjam. Mail servers that use simple mail transfer protocol with StartTLS, secure POP3 and IMAP are vulnerable in 14.8 percent, 8.9 percent and 8.4 percent.
The Diffie-Hellman key exchange was designed for users who have no contact with each other can send encrypted information to each other. A shared key is agreed upon using the Diffie-Hellman key exchange for allowing Internet protocols on a negotiated secure connection. HTTPS, SSH, IPsec, SMTPS and other protocols that need TLS require the Diffie-Hellman key exchange.
In regards to the attack, Logjam is when a third-party, a person in the middle of the connection, attacks the TLS connection and downgrades the security to 512-bit export grade cryptography. This gives the attacker the ability to read and manipulate all the data within the connection. Any server that supports the DHE_EXPORT cipher is open to attack, and RSA key exchanges aren’t being attacked in this way.
It is possible that this is how the NSA gains access to information being sent by Internet users across the world. According to an email sent to Ars Technica by J. Alex Halderman, a scientist who was behind the research, “Logjam shows us once again why it’s a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for. That’s exactly what the US did in the 1990s with crypto export restrictions, and today that backdoor is wide open, threatening the security of a large part of the Web.”
Finding the vulnerability means that a solution can be found, but a problem remains of how much information was compromised and of what will be done with that information. Another issue is, if it is how the NSA have been decrypting information sent through the Internet, are other countries doing this, how many countries or hacker groups are aware of this vulnerability?
At the moment, only Internet Explorer has been updated to fix the vulnerability. A fix is to be released soon for Chrome, Firefox and Safari designed to reject anything below 1024 bites of key material.