Logjam (computer security)
Appearance
Logjam is a security vulnerability against US export-grade 512-bit keys in Diffie–Hellman key exchange. It was discovered by a group of computer scientists and publicly reported on May 20, 2015.[1][2][3][4] The vulnerability allows a man-in-the-middle network attacker to downgrade a Transport Layer Security (TLS) connection to use export-grade cryptography, allowing him to read the exchanged data and inject data into the connection. It affects the HTTPS, SMTPS, and IMAPS protocols, among others.[5] Its CVE ID is CVE-2015-4000.[6]
Responses
- On May 12, 2015, Microsoft released a patch for Internet Explorer.[7]
- On June 16, 2015, the Tor Project provided a patch for Logjam to the Tor Browser.[8]
- On June 30, 2015, Apple released a patch for both OS X Yosemite and iOS 8 operating system.[9][10]
- On July 30, 2015, the Mozilla project released a fix for the Firefox browser.[11][12]
See also
References
- ^ "The Logjam Attack". weakdh.org. 2015-05-20.
- ^ Dan Goodin (2015-05-20). "HTTPS-crippling attack threatens tens of thousands of Web and mail servers". Ars Technica.
- ^ Charlie Osborne (2015-05-20). "Logjam security flaw leaves top HTTPS websites, mail servers vulnerable". ZDNet.
- ^ http://www.wsj.com/articles/new-computer-bug-exposes-broad-security-flaws-1432076565
- ^ Adrian, David; Bhargavan, Karthikeyan; Durumeric, Zakir; Gaudry, Pierrick; Green, Matthew; Halderman, J. Alex; Heninger, Nadia; Springall, Drew; Thomé, Emmanuel; Valenta, Luke; VanderSloot, Benjamin; Wustrow, Eric; Zanella-Béguelin, Santiago; Zimmermann, Paul (May 2015). "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice" (PDF).
- ^ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
- ^
"Microsoft Security Bulletin MS15-055. Vulnerability in Schannel Could Allow Information Disclosure (3061518)". Microsoft Corporation. 2015-05-12.
This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed Logjam technique, [...] The security update addresses the vulnerability by increasing the minimum allowable DHE key length to 1024 bits.
- ^ https://blog.torproject.org/blog/tor-browser-452-released
- ^ "About the security content of OS X Yosemite v10.10.4 and Security Update 2015-005". Apple Inc.
- ^ "About the security content of iOS 8.4". Apple Inc.
- ^
"Firefox 39.0 Release Notes". Mozilla.
FIXED Update to NSS 3.19.2
- ^
"Mozilla Foundation Security Advisory 2015-70 - NSS accepts export-length DHE keys with regular DHE cipher suites". Mozilla.
FIXED IN Firefox 39.0 [...] This attack [...] is known as the "Logjam Attack."
External links