Tens of thousands of HTTPS websites and numerous enterprise networks could potentially be affected by a vulnerability called Logjam, according to the security experts who identified it this week. Cryptographic weaknesses in the Diffie-Hellman key exchange algorithm may allow decryption and manipulation of data, and man-in-the-middle attacks on TLS.
In the report originally presenting Logjam, researchers claimed they could compromise connections to seven percent of the Alexa top million HTTPS sites, and that TLS attacks taking advantage of the Diffie-Hellman vulnerability could theoretically affect 8.4 percent. The researchers recommended that web administrators disable export cipher suite support and generate a unique 2048-bit Diffie-Hellman key group.
Skyhigh Networks tested the security of its own enterprise customers for Logjam vulnerability, and discovered that 575 cloud providers could be vulnerable, and the average enterprise uses 71 vulnerable services. Of over 400 enterprise using Skyhigh, 99 percent use at least one potentially vulnerable cloud service.
“The Diffie-Hellman key exchange is a cornerstone of many cryptographic protocols,” says the initial disclosure (PDF). “Despite its relative simplicity and elegance, practical complications and technical debt over decades have left modern implementations vulnerable to attack from even low-resource adversaries. Additionally, due to a breakdown in communication between cryptographers and system implementers, there is evidence that suggests the way we are using Diffie-Hellman in today’s protocols is insufficient to protect against state-level actors. As we move to using newer key exchanges, it is important to ensure that our implementations and protocols remain adaptable and can be easily updated to the relevant dynamic changes in the underlying cryptographic requirements.”
The discovery of Logjam closely follows the discovery of the similar Freak HTTPS encryption vulnerability in March. The team which authored the Logjam report includes many of the same researchers who disclosed the Freak vulnerability, from Johns Hopkins University, the Universities of Michigan and Pennsylvania, Microsoft, and INRIA.
Service providers and enterprises using Skyhigh’s services are being contacted, and patched browser versions have been rolling out that will not allow a connection to be downgraded to export-grade cryptography. Skyhigh has several recommendations for companies; determine client and service-side exposure, validate proxy configurations, ensure internal OpenSSL use is updated, and update your VPN server.