OpenSSL now protects against Logjam attack

By Shawn Knight
Jun 12, 2015
Post New Reply
  1. openssl patches flaws adds protection logjam attack ssl tls freak openssl man-in-the-middle freak flaw export encryption export-grade encryption encyrption diffie-hellman logjam

    With help from the Linux Foundation’s Core Infrastructure Initiative (CII) and the NCC Group, the OpenSSL project has patched a number of moderate- and low-level security vulnerabilities in the latest releases of its software.

    The majority of the fixes are related to moderate-severity denial-of-service bugs. Notably, the revised software also protects against a vulnerability in the TLS protocol called Logjam that gained notoriety last month.

    As Malwarebytes explains, Logjam was discovered by a group of security researchers and computer scientists. It affects how a Diffie-Hellman (DH) key exchange is deployed on the web which is used to establish session keys between two communicating party.

    Specifically, it is a man-in-the-middle attack that’s capable of downgrading a connection to 512-bit export-grade encryption. It isn’t all that different from the FREAK flaw except that, as researchers note, it applies to the Diffie-Hellman ciphersuites and is a TLS protocol flaw rather than an implementation vulnerability.

    512-bit encryption was at one time considered quite strong. But as computing power has evolved, it’s now possible to crack such a key in a matter of hours using Amazon Web services at a cost of around $100.

    The latest version of OpenSSL will reject handshakes with DH parameters shorter than 768 bits, a limit that will be increased to 1,024 bits in a future release.

    Those running OpenSSL 1.0.2 are advised to upgrade to 1.0.2b while those using OpenSSL 1.0.1 should upgrade to version 1.0.1n.

    Permalink to story.


Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...