An international team of computer scientists and security researchers has discovered LogJam, an Internet bug that enables an attacker to trick a Web browser into believing it is using a regular key rather than the export version.
LogJam is related to another flaw the team found over the winter, called Freak, which enabled an attacker to force another computer to use a smaller "export" key.
The newly discovered weakness also could enable an attacker to read or change communications that claim to be secure.
The researchers think the U.S. National Security Agency may have exploited LogJam, Freak, or other similar flaws to spy on virtual private networks.
About 8 percent of the top 1 million websites are vulnerable to the new bug because they support export keys based on the same large numbers. Although Web browser makers could fix the problem by changing their programs to reject small keys, that would disable thousands of legitimate Web servers, according to the researchers.
After the Freak bug was disclosed in March, browser makers agreed to reject small keys but debated where to set a threshold. In the end, the browser makers decided to move toward rejecting keys with fewer than 1,024 bits, or 309 digits, a move that could leave about 0.2 percent of secure websites inaccessible to users.
From The Wall Street Journal
View Full Article
Abstracts Copyright © 2015 Information Inc., Bethesda, Maryland, USA