Microsoft and a number of academics have revealed another legacy vulnerability to do with encryption algorithms.

The find comes after the recent discovery of another legacy encryption vulnerability, dubbed “FREAK”, back in March this year.

Encrypted Communications

The latest SSL flaw however has been called the LogJam attack vulnerability by Microsoft Research, which teamed up with a number of American and French universities including John Hopkins, the University of Pennsylvania, and INRIA Paris-Rocquencourt.

Like the FREAK vulnerability, the LogJam flaw dates back to the 1990s, when the United States maintained export restrictions on encryption technology. Indeed, the US had until 1999, banned companies from shipping any products overseas that contained strong encryption, as it deemed encryption to be a munition. But it had allowed the exportation of weaker and more breakable “export-grade encryption”.

The new flaw is potentially very serious indeed, as the researchers claim that it affects about 8 percent of the top one million HTTPS security-protected websites. This potentially means that one is every ten websites that people believe are secure, can contain this vulnerability.

The LogJam flaw concerns SSL communication, whereby a user assumes that their web browsing is secured by the presence of the padlock icon in the address bar of the web browser. Essentially the LogJam flaw affects an algorithm called the “Diffie-Hellman key exchange”. This algorithm allows protocols such as HTTPS, SSH, IPsec, SMTPS to negotiate a shared key and create a secure connection when browsing.

The Diffie-Hellman key exchange algorithm can be compromised by a “man-in-the-middle” attack, which would allow the attackers to downgrade a connection to a 512-bit encryption. Whilst 512-bit encryption is certainly better than 256-bit encryption, it is not strong enough to resist the computing resources of government agencies such as the NSA or GCHQ for example.

Indeed, it is thought that those government agencies have the supercomputing power to crack 512-bit encryption in just a few minutes. And it is worth noting that the NSA is widely believed to be capable of breaking 1024-bit encryption as well.

“In the 1024-bit case, we estimate that such computations are plausible given nation-state resources, and a close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break,” wrote the researchers.

“The Diffie-Hellman key exchange is a cornerstone of many cryptographic protocols,” they said. “Despite its relative simplicity and elegance, practical complications and technical debt over decades have left modern implementations vulnerable to attack from even low-resource adversaries. Additionally, due to a breakdown in communication between cryptographers and system implementers, there is evidence that suggests the way we are using Diffie-Hellman in today’s protocols is insufficient to protect against state-level actors.”

Double-Edged Fix

The good news is that web browser companies are already working on fixes, by effectively blocking weaker 512-bit or weaker encryption keys.

But it should be noted that users may not be able to access certain websites after they upgraded their browser. Indeed, the Wall Street Journal estimates that 20,000 websites could be blocked by the patched browsers.

“The solution is relatively simple – you disable this legacy function on your system,” Prof Alan Woodward, a cybersecurity expert at the University of Surrey, was quoted by the BBC as saying.

“Unfortunately, some older web servers might then be prevented from starting a secure conversation with the updated web browsers as they would support only that older, shorter, weaker key lengths,” Professor Woodward said. “But do you really want this backward compatibility if it means others could be forced to use this weaker form of encryption?”

What do you know about Internet security? Find out with our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

FTC Seeks Delay To Amazon Trial, Citing Staff, Cash Shortfalls

Consequences. As Musk and DOGE continues slash-and burn at federal agencies, FTC asks for trial…

13 hours ago

Mobile Browser Market Not Working Well – CMA

Report from CMA's independent inquiry group concludes mobile browser markets not working well, but cloud…

14 hours ago

Trump Buys A Tesla, But Not Allowed To Drive It

Elon Musk turns White House driveway into Tesla showroom to allow Donald Trump to choose…

15 hours ago

TSMC Discusses Intel Foundry Joint Venture With Other Firms

TSMC reportedly pitches a joint venture with big name chip players for Intel's chip-making Foundry…

16 hours ago

Amazon, Google, Meta Pledge Support To Triple Nuclear Capacity

Big name tech firms have backed a pledge to support a goal of at least…

19 hours ago

Northvolt Files For Bankruptcy In Sweden

After filing for bankruptcy protection in the US last year, struggling EV battery maker Northvolt…

20 hours ago