Jennifer Valentino-DeVries
May 20, 2015
The Wall Street Journal reported that computer-security researchers aredisclosing a new flaw, called LogJam, in technology behind prominent security tools, including the green padlock on secure websites. Here’s a primer on the problem:
What’s the problem?
The flaw could allow an attacker to read or alter communications, including email or traffic to websites, that claim to be secure.
Why is it a problem?
The researchers found problems with some commonly used security “keys,” long random numbers used to encode and decode messages. In general, the longer the key, the harder it is to crack the code.
The type of key in question is called a Diffie-Hellman key, named after the cryptologists who invented it. Researchers found Diffie-Hellman keys aren’t as secure as previously thought.
Why not?
There are several problems. Researchers found that the vast majority of Internet servers reuse a few of the same large numbers to generate their Diffie-Hellman keys. That means an attacker can take a short cut toward breaking the key by working from those commonly used numbers.
There’s also a flaw in a security tool called “transport layer security,” or TLS, which uses these keys to create secure connections for things like electronic payments and sensitive data. The researchers found that attackers can trick a Web browser into believing they are using large, safe Diffie-Hellman keys when they are using smaller, weaker keys.
Why are the weaker keys still in use?
In part, it is an unintended consequence of an old U.S. policy to limit the strength of encryption exported to other countries. The restrictions were dropped in the 1990s, but many computers still use those weak export security keys. Attackers can force computers to use these weaker Diffie-Hellman keys.
Another problem is that website operators can have trouble keeping up with security updates. Web browsers support the weaker keys so that users can communicate with those websites.
Is my personal information at risk?
It’s unclear whether hackers have exploited any of the flaws. Researchers said they are more likely to have been used by governments for surveillance than by criminals trying to steal credit-card numbers.
In a paper, the researchers said documents suggest the National Security Agency could have exploited one of the flaws to spy on virtual private networks, or VPNs, and other communications previously thought to be secure.
What can be done?
Makers of popular Web browsers, including Google GOOGL +0.36%, MicrosoftMSFT 0.00%, Apple and Mozilla, are moving to block small Diffie-Hellman keys. That should make Internet browsing safer. But it could leave more than 20,000 websites unreachable for users of those browsers. Operators of those websites and websites vulnerable to the flaw will need to change some of the software code behind their sites.
Researchers say LogJam is also a cautionary tale about creating “backdoors” into security products, as the U.S. did by limiting the strength of encryption.
Is this like another recent flaw?
Yes and no. These same researchers in March disclosed a bug they called Freak, which also involved forcing the use of weak export keys. Freak involved different types of keys. Plus, it only affected certain browsers. The LogJam flaw involves the basic design of TLS, so it affects all browsers, and some emails.
Good grief. There are a lot of security bugs. Is the Internet broken?
The Internet was designed for communication more than security. There’s no supervising agency that can require Internet users to make changes. So security improves in fits and starts, largely by disclosing and fixing flaws like LogJam.
“People propose something that is the best they can think of, and then other people bang on it and test it and shake out all the problems, and that’s how it works,” said Karthikeyan Bhargavan, a researcher at the French computer science lab Inria.
No comments:
Post a Comment