Logjam (computer security): Difference between revisions
Content deleted Content added
+quotatios |
better firefox quotation |
||
| Line 30: | Line 30: | ||
</ref> |
</ref> |
||
* On July 30, 2015, the [[Mozilla]] project released a fix for the [[Firefox]] browser.<ref> |
* On July 30, 2015, the [[Mozilla]] project released a fix for the [[Firefox]] browser.<ref> |
||
{{cite web |
|||
| title=Firefox 39.0 Release Notes |
|||
| publisher=[[Mozilla]] |
|||
| url=https://www.mozilla.org/en-US/firefox/39.0/releasenotes/ |
|||
| quote=FIXED Update to NSS 3.19.2 |
|||
}} |
|||
</ref><ref> |
|||
{{cite web |
{{cite web |
||
| title=Mozilla Foundation Security Advisory 2015-70 - NSS accepts export-length DHE keys with regular DHE cipher suites |
| title=Mozilla Foundation Security Advisory 2015-70 - NSS accepts export-length DHE keys with regular DHE cipher suites |
||
| publisher=[[Mozilla]] |
| publisher=[[Mozilla]] |
||
| url=https://www.mozilla.org/en-US/security/advisories/mfsa2015-70/ |
| url=https://www.mozilla.org/en-US/security/advisories/mfsa2015-70/ |
||
| quote=FIXED IN Firefox 39.0 [...] This attack [...] is known as the "Logjam Attack." |
| quote=FIXED IN Firefox 39.0 [...] This attack [...] is known as the "Logjam Attack." This issue was fixed in NSS version 3.19.1 by limiting the lower strength of supported DHE keys to use 1023 bit primes. |
||
}} |
}} |
||
</ref> |
</ref> |
||
Revision as of 09:00, 4 July 2015
Logjam is a security vulnerability against US export-grade 512-bit keys in Diffie–Hellman key exchange. It was discovered by a group of computer scientists and publicly reported on May 20, 2015.[1][2][3][4] The vulnerability allows a man-in-the-middle network attacker to downgrade a Transport Layer Security (TLS) connection to use export-grade cryptography, allowing him to read the exchanged data and inject data into the connection. It affects the HTTPS, SMTPS, and IMAPS protocols, among others.[5] Its CVE ID is CVE-2015-4000.[6]
Responses
- On May 12, 2015, Microsoft released a patch for Internet Explorer.[7]
- On June 16, 2015, the Tor Project provided a patch for Logjam to the Tor Browser.[8]
- On June 30, 2015, Apple released a patch for both OS X Yosemite and iOS 8 operating system.[9][10]
- On July 30, 2015, the Mozilla project released a fix for the Firefox browser.[11]
See also
References
- ^ "The Logjam Attack". weakdh.org. 2015-05-20.
- ^ Dan Goodin (2015-05-20). "HTTPS-crippling attack threatens tens of thousands of Web and mail servers". Ars Technica.
- ^ Charlie Osborne (2015-05-20). "Logjam security flaw leaves top HTTPS websites, mail servers vulnerable". ZDNet.
- ^ http://www.wsj.com/articles/new-computer-bug-exposes-broad-security-flaws-1432076565
- ^ Adrian, David; Bhargavan, Karthikeyan; Durumeric, Zakir; Gaudry, Pierrick; Green, Matthew; Halderman, J. Alex; Heninger, Nadia; Springall, Drew; Thomé, Emmanuel; Valenta, Luke; VanderSloot, Benjamin; Wustrow, Eric; Zanella-Béguelin, Santiago; Zimmermann, Paul (May 2015). "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice" (PDF).
- ^ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
- ^
"Microsoft Security Bulletin MS15-055. Vulnerability in Schannel Could Allow Information Disclosure (3061518)". Microsoft Corporation. 2015-05-12.
This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed Logjam technique, [...] The security update addresses the vulnerability by increasing the minimum allowable DHE key length to 1024 bits.
- ^ https://blog.torproject.org/blog/tor-browser-452-released
- ^
"About the security content of OS X Yosemite v10.10.4 and Security Update 2015-005". Apple Inc.
This issue, also known as Logjam, [...] was addressed by increasing the default minimum size allowed for DH ephemeral keys to 768 bits.
- ^
"About the security content of iOS 8.4". Apple Inc.
This issue, also known as Logjam, [...] was addressed by increasing the default minimum size allowed for DH ephemeral keys to 768 bits.
- ^
"Mozilla Foundation Security Advisory 2015-70 - NSS accepts export-length DHE keys with regular DHE cipher suites". Mozilla.
FIXED IN Firefox 39.0 [...] This attack [...] is known as the "Logjam Attack." This issue was fixed in NSS version 3.19.1 by limiting the lower strength of supported DHE keys to use 1023 bit primes.
External links
 | This cryptography-related article is a stub. You can help Wikipedia by expanding it. |
 | This Internet-related article is a stub. You can help Wikipedia by expanding it. |