SoylentNews is people
SoylentNews
There's a new TLS protocol security vulnerability found that can be exploited using protocol downgrade that was left in place due to previous U.S. government export restrictions its been named "Logjam". It affects servers supporting the Diffie-Hellman key exchange, and it's caused by export restrictions mandated by the U.S. government during the Clinton administration. "Attackers with the ability to monitor the connection between an end user and a Diffie-Hellman-enabled server that supports the export cipher can inject a special payload into the traffic that downgrades encrypted connections to use extremely weak 512-bit key material. Using precomputed data prepared ahead of time, the attackers can then deduce the encryption key negotiated between the two parties."
Internet Explorer is the only browser yet updated to block such an attack — patches for Chrome, Firefox, and Safari are expected soon. The researchers add, "Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break." Here is their full technical report (PDF).
Time for a complete overhaul?
[Update: Thanks to Canopic Jug for locating and providing a link to the Common Vulnerabilities and Exposures entry CVE-2015-4000; check there for official information and updates.]
(Score: 3, Funny) by zeigerpuppy on Thursday May 21 2015, @08:43AM
I presume this also has impact on email servers with TLS encryption.
Getting so sick of state compromised encryption. It's high time for new encryption libraries and legislation that actively protects the right for users to encrypt and the agreements between service providers and users to provide secure services.
Perhaps a class action would be good on government misrepresenting the efficacy of encryption "products". My users should certainly be pissed off if I sell a product that I present as secure but is not. But what recourse to sysadmins/users have against the criminal activity of governments undermining encryption?
(Score: 2) by gnuman on Thursday May 21 2015, @02:31PM
It's high time for new encryption libraries
I'd suggest that you fund this "new encryption library", provide it for free, and when a mistake is found somewhere in it, then we can all sue you for providing it for free.
Crypto is hard. Finding bugs is good. It means they can be fixed and bad guys can't use it anymore. And that is not specific to crypto software or protocols.
But what recourse to sysadmins/users have against the criminal activity of governments undermining encryption?
Don't downgrade it? Set minimum secure cipherset. Verify in your applications which cipher was actually used. Report bugs.
legislation that actively protects the right for users to encrypt
As for your new legislation, how about, https://twitter.com/marshray/status/600909836398628864 [twitter.com]