Follow Us

We're In This Logjam Thanks To Outdated Cryptography Policy

The latest encryption vulnerability, Logjam, exists thanks to software policy of the 1990s.

We're In This Logjam Thanks To Outdated Cryptography Policy

Wisconsin Department of Natural Resources / CC BY ND 2.0

May 21, 2015

A team of security researchers has found tens of thousands of websites and servers could be at risk from Logjam, a new encryption attack based on an old security mindset.

Logjam is a man-in-the-middle attack in which attackers can monitor and modify supposedly secure traffic over transport layer security, or TLS. That HTTPS on Google, for example, is one type of TLS.

Logjam targets servers using the Diffie-Hellman key exchange. Attackers can "downgrade" the encryption strength of any affected system to make it easier to crack. (Video via Adrian et al.)

Logjam is similar in principle to the FREAK attack, which also compromised encryption. But the researchers say where FREAK went after a flawed implementation of TLS in certain browsers, Logjam exploits a flaw in TLS itself. (Video via Newsy)

Fixing Logjam will require updating the encryption that runs on some Web servers, and it might break some of the older ones.

"Twenty thousand. That is how many websites may become unreachable as engineers from the biggest tech firms fix a bug appropriately named Logjam," said Bloomberg's Emily Chang.

Some industry watchers are blaming this jam on the government, and they're actually onto something here.

The Clinton administration mandated any encryption software that might be exported from the U.S. be intentionally weakened so it would be easier to spy on anyone using it. Until as late as 1996, some commercial crypto software was classified as munitions. (Video via C-SPAN)

Restrictions were eased leading up to 2000, but the vulnerability has persisted, and some are still taking advantage of it.

A Snowden report showed the NSA can decrypt traffic on virtual private networks, and the researchers say the agency is probably using Logjam to do it.

The good news, if there is any, is unless you're a system administrator or run your own servers, there's not much to do but update your browser.

Mozilla, Apple and Google have all announced patches; Microsoft has already updated Internet Explorer.

This video includes images from the Wisconsin Department of Natural Resources / CC BY ND 2.0 and Getty Images.

Top Stories

Rapper XXXTentacion on a t-shirt.

Jury convicts 3 in 2018 killing of rapper XXXTentacion

After nearly eight days of deliberations, the jury convicted three men of armed robbery and first-degree murder. They face a mandatory life sentence.

People wait for the start of a rally in favor of legislation banning gender-affirming care

Missouri to restrict gender-affirming care for minors

The rule will require an 18-month waiting period, 15 hour-long therapy sessions and treatment of any mental illnesses before providing trans care.

Saad Ibrahim Almadi sits in a restaurant.

Saudi Arabia frees American imprisoned over critical tweets

The Florida man, who made comments criticizing Crown Prince Mohammed bin Salman, was arrested in 2021 when he arrived in Saudi Arabia to visit family.