Flaw In Web Encryption Leads To Easy Spying Traffic

A flaw in the Transport Layer Security (TLS) protocol allows hostile actors to break the encryption used to protect secure web and internet traffic.  The vulnerability has been called LOGJAM and is a result of an old U.S. Government encryption export restriction.

This type of encryption works by using big prime numbers to create secret keys.  These keys are then used to encrypt information.  Many of the encryption attacks are based around figuring out what prime numbers were used to compute the security keys.

In order for your computer to talk securely to a web server the encryption keys need to be shared.  In order to make this process simple and easy a way to share keys over an insecure connection was designed.  Back in the 1990’s the U.S. Government was concerned that foreign governments and bad guys would use encryption that couldn’t be broken.  To prevent the other side from using strong encryption the U.S. established export restrictions on encryption.  The restrictions limited the complexity of the encryption that was allowed for potential bad guys to legally purchase.  This resulted in computer systems in the U.S. using stronger encryption than computer systems outside the U.S.  To allow two systems using different strength encryption to talk the more secure system needs to downgrade the complexity to the lower strength system.

TLS uses keys shared public keys and private keys to publicly establish a secure connection.  Remember the keys are made using a pair of really big prime numbers and the U.S. Government made it so encryption systems have the ability to downgrade to a lower encryption strength for compatibility.  LOGJAM works by exploiting both of these.

LOGJAM monitors TLS connections looking for a TLS session that it can force the downgrade of the encryption strength.  Once this has occurred it works to determine the prime numbers used to make the keys.  After the prime numbers are determined it is able to monitor the encrypted traffic.

So what is the impact?  According to the researcher only 8% of the top one million secured websites support downgrading to the weaker strength encryption.  Of these 92% or just under 74,000 secure websites use two of the most popular prime numbers.  In other words almost 74,000 secure websites use default encryption keys that have already been figured out.  More concerning is the use of TLS to establish Virtual Private Networks (VPNs).  A VPN is used to secure communications between two computers or two computer networks.  Business is a big user of VPNs to ensure communications between mobile workers or branch offices are secure.  The researchers found that almost 20% of the VPNs they surveyed support weaker strength encryption.

This is a vulnerability that can be mitigated through the use of stronger encryption, not using default keys, and making other technical changes.  The mitigation strategy follows what is considered to be a best practice when using TLS and other encryption.  This illustrates not only why having competent technical staff but also having knowledgeable security people working for or with your organization is key to how secure you are.  inexperienced technical staff may choose default or less secure configurations without knowing the impact it will have on your organization.  Working with a security assessment team to check the security you have in place ensures the work was done properly and looks for things missed.

Post by Remote Process