Logjam: How Diffie-Hellman Fails in Practice
Logjam: How Diffie-Hellman Fails in Practice
(weakdh.org)
The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable.Yet another vulnerability allowing an attacker to downgrade the TLS connection to use weaker ciphers. The solution in this case is easy:
- Generate strong DH group: openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048
- Configure web server (e.g. with nginx): Add ssl_dhparam /etc/nginx/certs/dhparams.pem; to nginx.conf
STARTTLS has a glaring problem: it's negotiated over the plaintext channel.
The S: 250 STARTTLS line is sent on the clear so an attacker performing a MitM attack can just block it, prevent it from ever reaching the client. At that point the client will simply go ahead with unencrypted SMTP, unaware that the server supports TLS, and the server will think it's the client that came short in supporting it.
In browser world, it's as if you always connected over HTTP and relied on the 301 redirect to switch to HTTPS. An attacker can do a SSL stripping attack where they just answer to your HTTP query. It's also what HSTS is designed to prevent.