Security bug threatens secure Web connections

For several years, cyber security and safety pundits, myself included, have advised Web users to be sure that sensitive information is only transmitted over secured Web connections. Virtually all modern browsers and most websites support “HTTPS,” where the common “HTTP” (Hypertext Transfer Protocol) universally listed at the beginning of a Web address is “layered” with some form of bi-directional encryption intended to make the Web connection secure between the sending and receiving parties. The most common layered encryption protocols used with the HTTPS secured connections are “SSL” (Secure Sockets Layer) and “TLS” (Transport Layer Security). And while they have been previously considered reasonably secure against third party listening, they have now been shown to be vulnerable to “man in the middle” interception.

Only connect to ecommerce websites, as well as online banking and other financial service websites, that have the prefix “HTTPS://” before the Web address in the browser address bar. Many browsers displayed a small “padlock” icon, often in the lower right corner of the browser window; if “open,” then the Internet connection was insecure, but if the padlock was “closed” (locked), then the connection was considered reasonable safe and secure. For several years, it had been considered reasonably safe for Web users to take advantage of these safe browsing features, assured that their sensitive data was being safely and securely sent and received. Now, a new breed of Web and browser vulnerability nicknamed “Logjam” has appeared that threatens the online security that we have come to expect while conducting online transactions.

If a Web user wants to quickly and easily determine if their browsers of choice are vulnerable to this new type of security vulnerability, simply open the Webpage at weakdh.org; a red banner across the top of the page will clearly display the browser vulnerability, if present. At present, I am using the most up-to-date version of Firefox, version 38.0.5, but the red banner says, “Warning! Your Web browser is vulnerable to Logjam and can be tricked into using weak encryption. You should update your browser.” My preferred alternative browser, Google’s Chrome, is up to date but displays the same vulnerability warning, indicating that both of my preferred browsers have the Logjam vulnerability.

In simple terms, the commonly used HTTPS used at the beginning of a Web address, either entered manually or by browser default, is no longer considered as secure as it has been in the past. For the common Web user who does online purchasing on many of the popular ecommerce websites, online banking, online investing, and other forms of personally sensitive transactions online may not be as well protected against interception as previously thought. Recent published articles have also indicated that users of many of the large and popular “Cloud Service Providers” which have been providing secured backup and data services, may also have had their “secured” Web connections compromised. It has also recently been determined that many of the widely used e-mail servers, which typically incorporate SSL or TLS encryption to secure e-mail communications, have also been struck by this vulnerability, theoretically allowing unauthorized third party interception of e-mails.

While it is being debated in the media whether this vulnerability is simply a bug in the security protocols and the popular Web browsers, or it is actually a spyware type of malware, it has very recently (late May) been given the moniker “Logjam.” Since this Logjam threat is bidirectional, considering that a user’s Web browser is creating a secured (HTTPS) connection with a server, one of the primary weaknesses is in the user’s Web browser itself, with almost all of the current browsers being vulnerable to Logjam. At present, the major security suites utilized by most PC and Mac users, offer little or no protection from this Logjam vulnerability.

With possibly millions of ecommerce, financial service, e-mail servers and other sensitive Web based services in widespread use, the number of vulnerable websites and servers is staggering. According to a site dedicated to exposing the threats of Logjam, weakdh.org, a team of computer scientists performed a study of Internet servers vulnerable to the Logjam vulnerability. The study found that servers using the very widely used 512-bit “DHE_EXPORT” encryption methods were often vulnerable to Logjam, based on their purpose and function.

Websites that are using some of the more sophisticated, and considered more secure 1024-bit encryption methods may be even more vulnerable to “passive eavesdropping from an attacker with nation-state resources,” according to the computer scientists researching Logjam. The term “nation-state resources” implies that this Logjam vulnerability is not likely being perpetrated by the typical hackers and crackers, but instead may be possibly utilized by nations and states that have access to the extensive resources necessary to crack the dynamic encryption keys generated by the 1024-bit encryption protocols. If a “nation-state” with extensive resources could theoretically crack the 1024-bit encryption protocol key, the rate of data interception may be significantly increased. According to an article published on May 21 by Business Insider, the suspected spy Edward Snowden implied that the United States government may have used the Logjam vulnerability to intercept sensitive, encrypted, online transmissions. This statement about the United States using Logjam to gather intelligence was independently corroborated by the computer scientists researching the Logam vulnerability.

The research posted at weakdh.org indicates that the number of supposedly secured Web servers, VPN (Virtual Private Networks), and secured file and data transfer services using the supposedly more secure 1024-bit encryption may be more vulnerable than previously considered. If the U.S. can (allegedly) be the “man in the middle” intercepting this vulnerable but encrypted data, there is absolutely no reason to believe that others, such as Russia, China, Iran, Israel, India, Pakistan, France, Germany, the U.K. and other nation-states are not doing much the same. With the financial backing and technical capabilities of terrorist organizations such as ISIS and Al Qaeda, it would not surprise me if they too were not involved with intercepting some encrypted Internet communications.

Check your browser at weakdh.org for the Logjam vulnerability. An alternative website that will test your browser for the Logjam threat as well as other vulnerabilities is ssllabs.com/ssltest/viewMyClient.html. If your browser is vulnerable, as almost all browsers are currently vulnerable to Logjam (with Internet Explorer version 11.0.19 being an exception), check for an update, as all of the major browser publishers are working on patching the vulnerability. Simply opening the browser menu and selecting “About” will display the installed browser version, and most browsers will also indicate if the browser is up-to-date, often with a link to an updated version, if available.

While there is no current anecdotal evidence that our common consumer financial transactions have yet been compromised by the Logjam vulnerability, the possibility of it still exists, and it is only a matter of time until cyber crooks find a way to capitalize on it. By the time that this occurs, hopefully we all would have had an opportunity to upgrade our Web browsers to a more secure version - until next time.

shadow