There's a new vulnerability in town... "The new bug, dubbed LogJam, is a cousin of Freak. But it’s in the basic design of TLS itself, meaning all Web browsers, and some email servers, are vulnerable." [1] According to the article, "Internet-security experts crafted a fix for a previously undisclosed bug in security tools used by all modern Web browsers. But deploying the fix could break the Internet for thousands of websites."
Logjam attack can allow an attacker "to significantly weaken the encrypted connection between a user and a Web or email server..." [2]
From: https://weakdh.org/
Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.
We have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed...
We're starting to see news coverage from other outlets, and we're sure more analysis will emerge. However, at this time your best source for more information on this bug is at weakdh.org.
For now, ensure you have the most recent version of your browser installed, and check for updates frequently. If you’re a system administrator, please review the Guide to Deploying Diffie-Hellman for TLSat https://weakdh.org/sysadmin.html
--
Brad Duncan
ISC Handler and Security Researcher at Rackspace
References:
[1] http://www.wsj.com/articles/new-computer-bug-exposes-broad-security-flaws-1432076565
[2] http://www.pcworld.com/article/2924532/new-encryption-flaw-logjam-puts-web-surfers-at-risk.html
'취약점 정보1' 카테고리의 다른 글
| Samsung Galaxy S phones fail to properly validate Swiftkey language pack updates (0) | 2015.06.17 |
|---|---|
| 블루코트 ssl취약점 (0) | 2015.06.02 |
| 아래한글 임의코드 실행 취약점 보안 업데이트 권고 (0) | 2015.05.21 |
| CVE-2015-0935: PHP Object Injection in Bomgar Remote Support Portal (0) | 2015.05.10 |
| Automated Data Exfiltration With XXE (0) | 2015.05.02 |