Critical Encryption Bug Affecting Millions Might Have Enabled NSA’s Attack on VPNs


A new vulnerability that is on the critical level of HeartBleed has been discovered by the security researchers. Codenamed LogJam, this latest encryption flaw allows an attacker to intercept secured communication happening between users and servers worldwide.

Discovered by crypto researcher Mathew Green of Johns Hopkins and the security experts of University of Michigan, Logjam is essentially a man-in-the-middle (MitM) attack that could be potentially used to downgrade encrypted connections between a user and online services. In this MitM attack, the attackers needs to be on the same network as the user.

Logjam bug affects TLS (Transport Layer Security) protocol that is used by websites, mail servers and VPN servers to encrypt traffic. This bug allows an attacker to lower the encryption to the "extremely weaker 512-bit keys" and crack open the data to read and modify this secured data that is passing between the users and servers affecting hundreds of thousands of HTTPS-protected sites and servers.

Who is infected by Logjam?

Well, LogJam has been present on the web for over 20 years affecting SSH, IPsec, SMTPS, HTTPS, and other protocols relying on the transport layer. The research group found that at least 8.4 percent of top one million web domains are affected by this bug. Same number of mail servers and every modern web browser too is the victim.

The only thing that might be considered a relief is that the attack could only happen through MitM on the same network. As Rob Graham of Errata Security puts it,

[Logjam] can only be used by a man-in-the-middle attack. It also needs a fair amount of resources to do the attack. So the teenager at Starbucks is not going to use this to attack you; the only threat would be the NSA.

Researchers comment that this bug might have been used by the National Security Agency (NSA) to crack open the secure VPN connections as was disclosed in Snowden revelations. NSA whistle blower Edward Snowden had revealed that NSA ran global mass surveillance programs including crypto attacks. However, by far we didn't know how NSA accomplished that.

A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break.

While NSA having used this vulnerability is just a speculation with no proof but there's more contribution of US government to this bug other than supposedly not disclosing the vulnerability to public. According to Wired, in 1990s US government established export requirements preventing export of high-grade crypto levels offering only lower levels of protection abroad.

Which essentially meant that the web servers in the US and worldwide had to support weaker encryption to facilitate communications. Logjam vulnerability affects all those servers that support the export grade version of Diffie-Hellman using 512-bit primes to generate keys.

To protect yourself,

Go to this official blog to confirm if you are infected. Browsers like Google Chrome and Mozilla Firefox are trying to patch things up so make sure to check for updates.

For the server administrators, here are the instructions by the research team,

"If you have a web or mail server, you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. We have published a Guide to Deploying Diffie-Hellman for TLS with step-by-step instructions. If you use SSH, you should upgrade both your server and client installations to the most recent version of OpenSSH, which prefers Elliptic-Curve Diffie-Hellman Key Exchange."