Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 05, 2016, 12:49:22 PM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: HTTPS exploit ready to terrorise  (Read 2635 times)

Curt

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 7,089
    • View Profile
    • Donate to Member
HTTPS exploit ready to terrorise
« on: May 22, 2015, 07:15:34 AM »
Normally I will would just leave an extended title and a link, but this article is too important & too sad, to risk being unnoticed:

I don't know if this is old news, but I think it certainly is bad news:

Quote from: TechRadar
HTTPS exploit ready to terrorise thousands of websites and mail servers
By Jamie Hinks http://www.techradar...mail-servers-1294458

Diffie-Hellman downgrade weakness allows hackers in.

Almost 100,000 HTTPS websites are under threat from a new vulnerability born out of attempts by the US in the early 1990s to break the encryption used by foreign entities.

First reported by Ars Technica, the 'Logjam' vulnerability affects 8.4% of the world's top one million websites in addition to a slightly higher percentage of the mail servers in the IPv4 address space, according to researchers.

"Logjam shows us once again why it's a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for," J. Alex Halderman, one of the scientists behind the research, told Ars Technica in an email. "That's exactly what the US did in the 1990s with crypto export restrictions, and today that backdoor is wide open, threatening the security of a large part of the web."

The exploit lets eavesdroppers view data passing over encrypted connections and then modify it to successfully perform man-in-the-middle attacks. It is born out of a flaw in the transport layer security (TLS) protocol that allows websites and mail servers to set up encrypted connections with end users, and the Diffie-Hellman key exchange is where the weakness lies.

Attackers are using Logjam to take advantage of a subset of servers supporting Diffie-Hellman, which allows two parties that have never met to set up a special key even if they are communicating over an unsecured connection.

To take advantage of vulnerable connections, attackers have to use the number sieve algorithm to precompute data. After doing that they can successfully perform man-in-the-middle attacks against the same vulnerable connection.


Keep your browser updated
Only Internet Explorer has been updated to protect against the exploit, although the researchers have been in touch with the developers of Chrome, Firefox and Safari to ensure that a fix will be implemented that rejects encrypted connections under a minimum of 1024 bits.

Researchers are advising server administrators to switch off support for the DHE_EXPORT ciphersuites that permit Diffie-Hellman connections to be downgraded and they have even provided a guide on how to do so securely. For end users, make sure your browser or email client is kept completely up-to-date with the very latest version.


Magnifying glass on danger-970-80.jpgHTTPS exploit ready to terrorise

>"... rejects encrypted connections under a minimum of 1024 bits"<!!!

-----------

Turns out it even was made close at home!  :(

ayryq

  • Supporting Member
  • Joined in 2009
  • **
  • Points: 101
  • Posts: 223
    • View Profile
    • Donate to Member
Re: HTTPS exploit ready to terrorise
« Reply #1 on: May 22, 2015, 09:19:36 AM »
News like this makes me frustrated. Out-of-the-box, Pale Moon doesn't support, for example SSL3 because it's not secure. But guess what, my bank uses it still. So I have to disable security features in my browser so that I can go on doing business. None of the browser updates in the world will help if the effect is broken websites, so people have to set up security exceptions (and security exception or policy changes have to be permitted, because otherwise users get PO'd at the browser, NOT the server). And you get into a habit of clicking "Allow" any time it asks (much like windows security prompts). Which is the same as no security at all.

Practically speaking, people don't know--or care--what sort of security websites use. It just better work. But the burden is on server admins to get it fixed, so browsers can stop supporting vulnerable technologies without making everybody angry.

Innuendo

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,255
    • View Profile
    • Donate to Member
Re: HTTPS exploit ready to terrorise
« Reply #2 on: May 23, 2015, 10:04:08 AM »
The great thing about computers is that as time goes by they get more & more powerful.

The horrible thing about computers is that those more powerful computers make it possible to crack encryption algorithms that were once thought to be impervious to attack.

I'm sure 20 years from now it's most likely that any encryption we're using now will probably be as breakable as WEP encryption is today.