HTTPS exploit ready to terrorise -
Welcome Guest.   Make a donation to an author on the site May 23, 2015, 10:12:46 PM  *

Please login or register.
Or did you miss your validation email?

Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.

You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
The N.A.N.Y. Challenge 2012! Download dozens of custom programs!
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: HTTPS exploit ready to terrorise  (Read 321 times)
Supporting Member
Posts: 6,565

see users location on a map View Profile Give some DonationCredits to this forum member
« on: May 22, 2015, 07:15:34 AM »

Normally I will would just leave an extended title and a link, but this article is too important & too sad, to risk being unnoticed:

I don't know if this is old news, but I think it certainly is bad news:

Quote from: TechRadar
HTTPS exploit ready to terrorise thousands of websites and mail servers
By Jamie Hinks

Diffie-Hellman downgrade weakness allows hackers in.

Almost 100,000 HTTPS websites are under threat from a new vulnerability born out of attempts by the US in the early 1990s to break the encryption used by foreign entities.

First reported by Ars Technica, the 'Logjam' vulnerability affects 8.4% of the world's top one million websites in addition to a slightly higher percentage of the mail servers in the IPv4 address space, according to researchers.

"Logjam shows us once again why it's a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for," J. Alex Halderman, one of the scientists behind the research, told Ars Technica in an email. "That's exactly what the US did in the 1990s with crypto export restrictions, and today that backdoor is wide open, threatening the security of a large part of the web."

The exploit lets eavesdroppers view data passing over encrypted connections and then modify it to successfully perform man-in-the-middle attacks. It is born out of a flaw in the transport layer security (TLS) protocol that allows websites and mail servers to set up encrypted connections with end users, and the Diffie-Hellman key exchange is where the weakness lies.

Attackers are using Logjam to take advantage of a subset of servers supporting Diffie-Hellman, which allows two parties that have never met to set up a special key even if they are communicating over an unsecured connection.

To take advantage of vulnerable connections, attackers have to use the number sieve algorithm to precompute data. After doing that they can successfully perform man-in-the-middle attacks against the same vulnerable connection.

Keep your browser updated
Only Internet Explorer has been updated to protect against the exploit, although the researchers have been in touch with the developers of Chrome, Firefox and Safari to ensure that a fix will be implemented that rejects encrypted connections under a minimum of 1024 bits.

Researchers are advising server administrators to switch off support for the DHE_EXPORT ciphersuites that permit Diffie-Hellman connections to be downgraded and they have even provided a guide on how to do so securely. For end users, make sure your browser or email client is kept completely up-to-date with the very latest version.

>"... rejects encrypted connections under a minimum of 1024 bits"<!!!


Turns out it even was made close at home!  Sad
Supporting Member
Posts: 89

View Profile Give some DonationCredits to this forum member
« Reply #1 on: May 22, 2015, 09:19:36 AM »

News like this makes me frustrated. Out-of-the-box, Pale Moon doesn't support, for example SSL3 because it's not secure. But guess what, my bank uses it still. So I have to disable security features in my browser so that I can go on doing business. None of the browser updates in the world will help if the effect is broken websites, so people have to set up security exceptions (and security exception or policy changes have to be permitted, because otherwise users get PO'd at the browser, NOT the server). And you get into a habit of clicking "Allow" any time it asks (much like windows security prompts). Which is the same as no security at all.

Practically speaking, people don't know--or care--what sort of security websites use. It just better work. But the burden is on server admins to get it fixed, so browsers can stop supporting vulnerable technologies without making everybody angry.
Charter Member
Posts: 2,078

View Profile Give some DonationCredits to this forum member
« Reply #2 on: Today at 10:04:08 AM »

The great thing about computers is that as time goes by they get more & more powerful.

The horrible thing about computers is that those more powerful computers make it possible to crack encryption algorithms that were once thought to be impervious to attack.

I'm sure 20 years from now it's most likely that any encryption we're using now will probably be as breakable as WEP encryption is today.
Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register | About Us Forum | Powered by SMF
[ Page time: 0.038s | Server load: 0.01 ]

Share on Facebook
submit to reddit