Posted on 05/20/2015 8:25:10 PM PDT by Utilizer
...
Researchers have discovered a new security flaw that could affect tens of thousands of HTTPS websites, mail servers and other services by allowing attackers to downgrade the Transport Layer Security (TLS) connections to 512-bit export-grade cryptography to crack that connection and read any data being transmitted.
Dubbed LogJam, researchers from Microsoft, John Hopkins University, University of Michigan, University of Pennsylvania and the Inria Nancy-Grand Est research in France, discovered the flaw some months ago, and have subsequently informed browser makers about the issue, who are currently patching.
The research team has published a technical paper (pdf) and built a useful microsite, which sheds more light on the issue, as well as how to address the problem.
Services reliant on the Diffie-Hellman key exchange algorithm could potentially be vulnerable. The flaw in the TLS protocol affects thousands of web and email servers, as well as VPNs.
The Diffie-Hellman key exchange is a popular cryptographic algorithm used in several internet protocols that rely on TLS, as well as HTTPS, SSH, IPsec and SMTPs. Put simply, it agrees on a shared key for a secure web connection.
However, US export rules dating back from the 1990s stipulated that TLS connections should support weakened, “export-grade” 512-bit encryption, which some sceptics say was put in place with the NSA in mind.
(Excerpt) Read more at itnews.com.au ...
Sounds like this one’s fairly straightforward to mitigate on a webserver — just disable the old broken Ciphers (CipherSuite setting in Apache) I think. Gotta do some more research on it though...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.