Tech

We're In This Logjam Thanks To Outdated Cryptography Policy

The latest encryption vulnerability, Logjam, exists thanks to software policy of the 1990s.

We're In This Logjam Thanks To Outdated Cryptography Policy
Wisconsin Department of Natural Resources / CC BY ND 2.0
SMS

A team of security researchers has found tens of thousands of websites and servers could be at risk from Logjam, a new encryption attack based on an old security mindset.

Logjam is a man-in-the-middle attack in which attackers can monitor and modify supposedly secure traffic over transport layer security, or TLS. That HTTPS on Google, for example, is one type of TLS.

Logjam targets servers using the Diffie-Hellman key exchange. Attackers can "downgrade" the encryption strength of any affected system to make it easier to crack. (Video via Adrian et al.)

Logjam is similar in principle to the FREAK attack, which also compromised encryption. But the researchers say where FREAK went after a flawed implementation of TLS in certain browsers, Logjam exploits a flaw in TLS itself. (Video via Newsy)

Fixing Logjam will require updating the encryption that runs on some Web servers, and it might break some of the older ones.

"Twenty thousand. That is how many websites may become unreachable as engineers from the biggest tech firms fix a bug appropriately named Logjam," said Bloomberg's Emily Chang.

Some industry watchers are blaming this jam on the government, and they're actually onto something here.

The Clinton administration mandated any encryption software that might be exported from the U.S. be intentionally weakened so it would be easier to spy on anyone using it. Until as late as 1996, some commercial crypto software was classified as munitions. (Video via C-SPAN)

Restrictions were eased leading up to 2000, but the vulnerability has persisted, and some are still taking advantage of it.

A Snowden report showed the NSA can decrypt traffic on virtual private networks, and the researchers say the agency is probably using Logjam to do it.

The good news, if there is any, is unless you're a system administrator or run your own servers, there's not much to do but update your browser.

Mozilla, Apple and Google have all announced patches; Microsoft has already updated Internet Explorer.

This video includes images from the Wisconsin Department of Natural Resources / CC BY ND 2.0 and Getty Images.