Jump to content

Logjam (computer security)

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by StackzOfZtuff (talk | contribs) at 08:52, 4 July 2015 (+cite web template). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Logjam is a security vulnerability against US export-grade 512-bit keys in Diffie–Hellman key exchange. It was discovered by a group of computer scientists and publicly reported on May 20, 2015.[1][2][3][4] The vulnerability allows a man-in-the-middle network attacker to downgrade a Transport Layer Security (TLS) connection to use export-grade cryptography, allowing him to read the exchanged data and inject data into the connection. It affects the HTTPS, SMTPS, and IMAPS protocols, among others.[5] Its CVE ID is CVE-2015-4000.[6]

Responses

  • On May 12, 2015, Microsoft released a patch for Internet Explorer.[7]
  • On June 16, 2015, the Tor Project provided a patch for Logjam to the Tor Browser.[8]
  • On June 30, 2015, Apple released a patch for both OS X Yosemite and iOS 8 operating system.[9][10]
  • On July 30, 2015, the Mozilla project released a fix for the Firefox browser.[11][12]

See also

References

  1. ^ "The Logjam Attack". weakdh.org. 2015-05-20.
  2. ^ Dan Goodin (2015-05-20). "HTTPS-crippling attack threatens tens of thousands of Web and mail servers". Ars Technica.
  3. ^ Charlie Osborne (2015-05-20). "Logjam security flaw leaves top HTTPS websites, mail servers vulnerable". ZDNet.
  4. ^ http://www.wsj.com/articles/new-computer-bug-exposes-broad-security-flaws-1432076565
  5. ^ Adrian, David; Bhargavan, Karthikeyan; Durumeric, Zakir; Gaudry, Pierrick; Green, Matthew; Halderman, J. Alex; Heninger, Nadia; Springall, Drew; Thomé, Emmanuel; Valenta, Luke; VanderSloot, Benjamin; Wustrow, Eric; Zanella-Béguelin, Santiago; Zimmermann, Paul (May 2015). "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice" (PDF).
  6. ^ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
  7. ^ "Microsoft Security Bulletin MS15-055. Vulnerability in Schannel Could Allow Information Disclosure (3061518)". Microsoft Corporation. 2015-05-12. This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed Logjam technique, [...] The security update addresses the vulnerability by increasing the minimum allowable DHE key length to 1024 bits.
  8. ^ https://blog.torproject.org/blog/tor-browser-452-released
  9. ^ "About the security content of OS X Yosemite v10.10.4 and Security Update 2015-005". Apple Inc.
  10. ^ "About the security content of iOS 8.4". Apple Inc.
  11. ^ "Firefox 39.0 Release Notes". Mozilla. FIXED Update to NSS 3.19.2
  12. ^ "Mozilla Foundation Security Advisory 2015-70 - NSS accepts export-length DHE keys with regular DHE cipher suites". Mozilla. FIXED IN Firefox 39.0 [...] This attack [...] is known as the "Logjam Attack."