HTTPS exploit ready to terrorise thousands of websites and mail servers

News
By published

Diffie-Hellman downgrade weakness allows hackers in

Danger

Almost 100,000 HTTPS websites are under threat from a new vulnerability born out of attempts by the US in the early 1990s to break the encryption used by foreign entities.

First reported by Ars Technica, the 'Logjam' vulnerability affects 8.4% of the world's top one million websites in addition to a slightly higher percentage of the mail servers in the IPv4 address space, according to researchers.

"Logjam shows us once again why it's a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for," J. Alex Halderman, one of the scientists behind the research, told Ars Technica in an email. "That's exactly what the US did in the 1990s with crypto export restrictions, and today that backdoor is wide open, threatening the security of a large part of the web."

The exploit lets eavesdroppers view data passing over encrypted connections and then modify it to successfully perform man-in-the-middle attacks. It is born out of a flaw in the transport layer security (TLS) protocol that allows websites and mail servers to set up encrypted connections with end users, and the Diffie-Hellman key exchange is where the weakness lies.

Attackers are using Logjam to take advantage of a subset of servers supporting Diffie-Hellman, which allows two parties that have never met to set up a special key even if they are communicating over an unsecured connection.

To take advantage of vulnerable connections, attackers have to use the number sieve algorithm to precompute data. After doing that they can successfully perform man-in-the-middle attacks against the same vulnerable connection.

Keep your browser updated

Only Internet Explorer has been updated to protect against the exploit, although the researchers have been in touch with the developers of Chrome, Firefox and Safari to ensure that a fix will be implemented that rejects encrypted connections under a minimum of 1024 bits.

Researchers are advising server administrators to switch off support for the DHE_EXPORT ciphersuites that permit Diffie-Hellman connections to be downgraded and they have even provided a guide on how to do so securely. For end users, make sure your browser or email client is kept completely up-to-date with the very latest version.

Jamie Hinks
Latest in Pro
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Teams
Microsoft Teams is finally adding a tiny but crucial feature I honestly can't believe it never had
Judge sitting behind laptop in office
A day in the life of an AI-augmented lawyer
Cyber-security
Why Windows End of Life deadlines require a change of mindset
cybersecurity
What's the right type of web hosting for me?
Latest in News
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
Android 16 logo on a phone
Here's how Android 16 will upgrade the screen unlocking process on your Pixel
Visual Intelligence identifying a dog
AirPods with cameras for Visual Intelligence could be one of the best personal safety features Apple has ever planned – here's why
Nvidia AMD
Nvidia rumors suggest it's working on two affordable GPUs to spoil AMD's party
A Minecraft sheep.
Minecraft developer rejects generative AI, 'it's important that it makes us feel happy to create as humans'
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
More about pro
Google Gemini AI

Gmail is adding a new Gemini AI tool to help smarten up your work emails
1Password tax season hack landing page

Get your passwords secure this tax season— 1Password is offering a 25% discount on its individual plan
The Apple AirPods Pro 2 on a purple background with text saying price cut.

The Apple AirPods Pro 2 are the earbuds I love and they're down to their lowest price this year
See more latest
Most Popular
A Minecraft sheep.
Minecraft developer rejects generative AI, 'it's important that it makes us feel happy to create as humans'
Nvidia AMD
Nvidia rumors suggest it's working on two affordable GPUs to spoil AMD's party
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
Visual Intelligence identifying a dog
AirPods with cameras for Visual Intelligence could be one of the best personal safety features Apple has ever planned – here's why
Android 16 logo on a phone
Here's how Android 16 will upgrade the screen unlocking process on your Pixel
Apple iPhone 16 Review
New iPhone 17 report lends weight to rumors of major display and camera upgrades, and a pricey Apple foldable
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Sky Glass Gen 2
It's a Glass act: the next generation of Sky Glass TV is now at Currys
Teams
Microsoft Teams is finally adding a tiny but crucial feature I honestly can't believe it never had
Apple Watch Ultra 2 move data
Apple is reportedly planning a huge future Apple Watch upgrade to turn it into an AI device with onboard cameras