Industry Observations-Technical Insight-Vulnerabilities

Logjam: Web Encryption Vulnerability

A team of researchers has released details of a new attack called “Logjam.” This attack, like FREAK, enables a man-in-the-middle attacker to downgrade the connection between the client and the server to an easier-to-break cipher. Many servers support these weaker ciphers, though there is no practical reason to support them. The solution is to simply not support any ciphers that are easy to break. In fact, the browser makers are doing that right now.

The offending ciphers, Export Diffie-Hellman ciphers, can be found in HTTPS, SSH, VPN, mail, and many other servers. This does not, however, mean that you are vulnerable, or that you need to panic. Exploiting this vulnerability requires man-in-the-middle and a high level of sophistication. The real risk is relatively low on this issue compared to Poodle or Heartbleed. You should simply test your TLS endpoints to ensure that they do not support any weak ciphers. If you took this step back when FREAK came out, you are likely already okay.

The specific ciphers to disable for this attack are DHE_EXPORT ciphers (or “EXP-EDH-” ciphers). But go ahead and disable all weak ciphers, while you’re at it.

All WhiteHat Sentinel dynamic testing services (BE, SE, PE, PL, Elite) now report the use of export ciphers as part of reporting on weak ciphers, and specifically call out the ciphers that are a concern for Logjam.

The research team that released the report has also set up a page to test your servers here:

Remember that when you test a hostname, you are really testing the TLS endpoint for that connection, which may be a load balancer or firewall, and not your application server.