Jump to content


Photo

HTTPS-crippling attack intercepts encrypted data.


  • Please log in to reply
2 replies to this topic

#1 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 20 May 2015 - 09:58 AM

HTTPS-crippling attack threatens tens of thousands of Web and mail servers

Diffie-Hellman downgrade weakness allows attackers to intercept encrypted data.

http://arstechnica.c...d-mail-servers/

 

"The weakness is the result of export restrictions the US government mandated in the 1990s on US developers who wanted their software to be used abroad. The regime was established by the Clinton administration so the FBI and other agencies could break the encryption used by foreign entities. Attackers with the ability to monitor the connection between an end user and a Diffie-Hellman-enabled sever that supports the export cipher can inject a special payload into the traffic that downgrades encrypted connections to use extremely weak 512-bit key material. Using precomputed data prepared ahead of time, the attackers can then deduce the encryption key negotiated between the two parties."



#2 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 22 May 2015 - 06:25 PM

Mozilla has released an Extension to mitigate this vulnerability:

 

Disable DHE

Disables ephemeral Diffie-Hellman cipher suites that are vulnerable to the logjam attack.

 

https://addons.mozil...on/disable-dhe/



#3 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 23 May 2015 - 07:05 PM

Test your Browser - https://weakdh.org/