Where’s Jackie Treehorn when you need him? There’s a new browser exploit that’s making the rounds across the internet, and it’s capable of some pretty nasty stuff. Closely related to the FREAK exploit that we detailed a few months back, Logjam works its magic by using a main-in-the middle attack on the Diffie-Hellman protocol, downgrading vulnerable transport layer security (TLS) connections to just 512-bits of encryption — skilled hackers could crack 512-bit encryption keys in mere minutes.
According to WeakDH, the Logjam exploit affects 0.2 percent of the top one million domains on the web. That puts roughly 20,000 sites at risk. But there’s both good news and bad news with regards to tackling Logjam. The good news is that software companies behind the world’s most popular web browsers are working to patch the exploit in their products. Of the major web browsers currently on the market, only Microsoft has already issued a path to kill Logjam in its Internet Explorer browser. However, Google, Mozilla, and Apple are all working furiously to release patches to address Logjam in Chrome, Firefox, and Safari respectively.
(Source: Flickr/Yuri Samoilov)
For its part, Firefox security chief Richard Barnes told The Wall Street Journal, “It’s a twitchy business, and we try to be careful. The question is: How do you come up with a solution that gets as much security as you can without causing a lot of disruption to the Internet?”
The last part of Barnes’ statement gets to the bad news with regards to the Logjam fix. Websites and email servers that have not been updated to address Logjam on their end will be inaccessible via fully patched web browsers. Luckily, researchers indicate that changing a few lines of code is all that’s needed to squash Logjam once and for all. You can visit WeakDH’s site to see if your site is affected and how to patch things up.
It isn’t believed that anyone has actually used Logjam to carry out attacks on sites or Internet surfers, which is good to hear. And that fact that browsers makers have committed to addressing the matter and that that fix for site admins is relatively minor gives us hope that we’ll all just ride through this briar patch unscathed.