Monday, May 25, 2015
20 year old LogJam bug proves that 'crypto is hard'
Another month, another flaw related to the historical US export restrictions on cryptography; this time in the form of LogJam. It hits SSL 3.0 and TLS 1.0 which supported reduced-strength DHE_EXPORT ciphersuites, restricted to primes no longer than 512 bits, meaning that a man-in-the-middle attack is possible to force the usage of the lower export strength cipher without the user being aware and which impacts something like eight per cent of the top one million web domains and all the major web browser clients. Well almost, because Internet Explorer has already been patched (nice one Microsoft) with Firefox expected to follow soon and Chrome after that although time scales are not yet confirmed. You can confirm if your browser client has been updated yet by visiting https://weakdh.org