Logjam Vulnerability: 5 Key IssuesDon't Rush to Fix 20-Year-Old Flaw, Experts Say
While the "Logjam" vulnerability raises serious concerns, there's no need to rush related patches into place, according to several information security experts.
These pros have been helping organizations understand how best to react to the announcement this week that a team of computer scientists have discovered a 20-year-old flaw in Transport Layer Security (see Massive 'Logjam' Flaw Discovered). And given the age of the flaw and absence - so far - of publicly documented exploits, experts say organizations do not need to rush related fixes into place.
That is not to downplay the severity of the Logjam flaw, which makes supposedly secure TLS-using services vulnerable to being decrypted by an attacker by allowing the services to be tricked into using 512-bit keys, which are easy to decrypt, thus allowing HTTPS sessions to be cracked. Websites, mail servers and virtual private networks are among the services vulnerable to these downgraded crypto attacks.
Here are five related concerns and recommendations for how businesses should respond:
1. Beware of Passive Decryption
Logjam is dangerous because it can be used for "practical, passive decryption" of numerous sites and servers, warns security researcher Kenneth White, co-director of the Open Crypto Audit Project, via Twitter.
Indeed, the researchers who discovered Logjam say they believe that a well-funded nation-state entity - such as the U.S. National Security Agency - could crack not just 512-bit keys, but also some 1024-bit keys. If so, and they were to compromise the two most widely used prime numbers employed by Diffie-Hellman key exchanges, then 66 percent of the world's VPNs and 26 percent of all SSH servers would be vulnerable. "A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break," the researchers say in a related paper. "Moving to stronger key exchange methods should be a priority for the Internet community."
2. Never Allow 'Export' Crypto
The Logjam vulnerability concerns Diffie-Hellman ciphersuites, which are widely used and well-regarded by cryptographers, except when used in weak "export strength," says Filippo Valsorda, a systems engineer at distributed denial-of-service attack defense firm CloudFlare, in a blog post.
"Export cryptography is a relic of the 90's U.S. restrictions on cryptography export. In order to support SSL in countries to where the U.S. had disallowed exporting 'strong cryptography,' many implementations support weakened modes called EXPORT modes," Valsorda says. "We've already seen an attack that succeeded because connections could be forced to use these modes even if they wouldn't want to; this is what happened with the Freak vulnerability. It's telling that 20 years after these modes became useless, we are still dealing with the outcome of the added complexity."
That analysis remains relevant today, in the wake of some government officials - including FBI Director James Comey - attempting to weaken the use of "strong encryption."
3. Expect Broken Websites
The researchers who discovered Logjam say that the related fixes made by browser manufacturers may make more than 20,000 websites unreachable until they have been upgraded with better crypto. That's because the only fix for Logjam is to ensure that clients - including browsers - do not accept any weak Diffie-Hellman parameters. Currently, that means only accepting at least 1024 bits and refusing to connect to any server that only offers less, Valsorda says. "This is what all modern browsers are now doing, but it wasn't done before because it causes breakage," and also because before, no one knew "that there was [a] way to trick a server into choosing such weak parameters, if it wouldn't normally."
While fixes are being rushed out by browser makers - in the form of updates - more big-picture changes may still be required. Despite related requests from developers dating to at least 2007, for example, Oracle continued to restrict Java to using a maximum of 1024-bit long prime numbers, notes Matthew Green, a cryptographer and professor at Johns Hopkins University who is part of the team that discovered Logjam and Freak. While that restriction was lifted for Java version 8, released in 2014, widely used older versions of Java still have the cap.
4. Don't Rush Patching
But when it comes to fixing Logjam, numerous security experts say businesses need not panic, or rush. "Not all vulnerabilities are problems; not all problems are the same size," says William Hugh Murray, a management consultant and trainer in information assurance. "While you may want to patch this, unless you are terribly risk averse, there is no hurry. After all, it has been there almost 20 years. Even if you are a target of the NSA, this publicity does not increase your risk. When you hear reports of other exploitation, you will still have time."
Murray says that while researchers report that 80 percent of all sites that use 512-bit Diffie-Hellman keys are at risk, that does not mean that active attacks are under way. "Keep in mind that while 512 bit keys are well within the capabilities of the NSA, they are still relatively expensive even for them." He offers a reminder of famous cryptographer Adi Shamir's Third Rule: "People do not break crypto, they bypass it."
Sean Sullivan, a security advisor at Finnish antivirus vendor F-Secure, likewise says that based on the NSA documents leaked by former contractor Edward Snowden, tactically speaking, the agency appears to prefer to bypass cryptography whenever possible. "Based on what I've read from the Snowden docs, it's still more reliable to compromise an endpoint - and act as a man-in-the-middle - for intelligence collection [purposes]," he says, than to attempt to crack crypto, for example via Logjam.
"So even though 8.4 percent of 'the top 1 million domains' are/were initially vulnerable, I'm not too concerned about Logjam attacks against the TLS protocol," he says, especially because the vast majority of those sites likely do not even use HTTPS by default.
5. Expect More Internet Flaws
Both the Logjam and Freak flaws were discovered because a team of computer scientists from INRIA, Microsoft Research, Johns Hopkins, the University of Michigan, and the University of Pennsylvania has been actively looking for such flaws - especially in protocols that underpin Internet security. Part of their agenda is to identify and fix weaknesses, because those weaknesses may already be getting exploited by nation-state actors, such as the NSA.
"Events like this [discovering Logjam] are ultimately a good thing for the security industry and the Web at large since they mean that skilled people are looking at what we rely on to secure our connections and fix its flaws," CloudFlare's Valsorda says. "They also put a spotlight on how the added complexity of supporting reduced-strength crypto and older devices endangers and adds difficulty to all of our security efforts."
Independent security researcher Jacob Appelbaum says via Twitter that too much of the Internet's security foundation "is almost all broken or just garbage," and thus communications remain all too vulnerable to being intercepted by a well-funded third party. Still, multiple fix efforts are under way, with White's Open Crypto Audit Project, for example, now auditing OpenSSL - following the discovery of the Freak flaw - on behalf of the Linux Foundation.
Security experts also say it is no surprise that there are so many flaws in foundational parts of the Internet, given the piecemeal manner in which the Internet - and related security controls - came into existence, which was thanks to the efforts of thousands of different contributors, who often focused first on facilitating communication, rather than information security concerns. "It's like an amateur rock band here," Johns Hopkins' Green tells The Wall Street Journal.