Freaky 'LogJam' TLS flaw weakens web encryption for MiTM surprise

News by Doug Drinkwater

Researchers say the new 'LogJam' encryption flaw could be used by attackers to downgrade Transport Layer Security (TLS) connections to 512-bit export-grade cryptography, to crack that connection and read any data being transmitted. The flaw affects thousands of web and email servers, as well as VPNs.

Researchers from Microsoft, John Hopkins University, University of Michigan, University of Pennsylvania and the Inria Nancy-Grand Est research in France,  discovered the flaw some months ago, and have subsequently informed browser makers about the issue, who are in the middle of patching. The research team has published a technical paper and built a useful micro-site, which sheds more light on the issue, as well as how to fix the problem.

At first glance, the flaw looks somewhat similar to the Freak (Factoring attack on RSA-EXPORT Keys) flaw, which came to light in March, although there are some notable differences.

For instance, whereas Freak was down to an implementation flaw in SSL and TLS, and keys were shared over RSA protocols, LogJam has been described as a flaw in the TLS protocol, which relates specifically to an age-old bug in the Diffie-Hellman algorithm.

The Diffie-Hellman key exchange is a popular cryptographic algorithm used in several Internet protocols that rely on TLS, as well as HTTPS, SSH, IPsec and SMTPs. Put simply, it agrees on a shared key for a secure web connection.

However, US export rules dating back from the 1990s stipulated that TLS connections should support weakened, “export-grade” 512-bit encryption, which some sceptics say was put in place with the NSA in mind.

This weakened encryption could be easily cracked by criminals and nation-states to read encrypted web connections over web, email or VPN; in this research, academics suggested that academics could break 768-bit encryption, with nation-states able to crack 1024-bit.

Breaking the latter, said the researchers, would enable passive eavesdropping on almost a fifth (18 percent) of the top million HTTPS domains. More generally, the flaw affects any server supporting the DHE-EXPORT ciphers, which is used by all modern web browsers, as well as POP3S and IMAPS email servers.

“To comply with 1990s-era US export restrictions on cryptography, SSL 3.0 and TLS 1.0 supported reduced-strength DHE_EXPORT cipher suites that were restricted to primes no longer than 512 bits”, the academic paper from the researchers notes.

This attack isn't without pitfalls, though, with John Hopkins crypto researcher Matthew Green, saying that the attacker would need to be on the same network as the victim, such as on coffee shop Wi-Fi. He also speculated that NSA might have used this flaw to target VPN connections.

There is also good news in that those who have already patched their software to fix Freak will not be vulnerable, as those fixes removed the ability for software to run weaker export-grade ciphers. Browser makers, however, didn't do this at the time, seemingly down to concerns that a handful of websites are still using 512-bit keys.

James Maude, security engineer at Avecto, told via email: “The LogJam issue highlights how far back the long tail of security stretches. As new technologies emerge, and cryptography hardens, many simply add on new solutions without removing out-dated and vulnerable technologies. This effectively undermines the security model you are trying to build. Several recent vulnerabilities such as POODLE and FREAK have harnessed this type of weakness, tricking clients into using old, less secure forms of encryption.

“We cannot predict the future so the best option is to be as secure as technology allows. Organisations should not only be looking at what to add but what to remove as part of a strong patch management and update process. Ultimately, security is a journey, not a destination and all aspects need to continuously evolve as  we  move  forward.”  

Bob Tarzey, analyst and director at Quocirca, told SC: “Another day another vulnerability – in this case one that had been around for years before coming to light. This coming to light of new vulnerabilities will not cease, so the answer lies in fixing flaws rapidly, the browser providers seem to be on the case. Interesting, those that had taken note of and fixed the FREAK vulnerability are already protected from LogJam – that should be a lesson to anyone impacted in this in the value of keeping up to speed with software updates.”

Rob Shapland, senior penetration tester and technical operations manager at First Base Technologies, added in an email to SC:  “The new LogJam vulnerability demonstrates yet another flaw in TLS/SSL, and highlights just how important it is for server administrators to keep up to date with the latest advice on how to securely implement encrypted connections. In my view, the attack doesn't introduce anything that the average user should be overly concerned about, as it would require significant resources to successfully execute. It does, however, shed new light on privacy concerns and shows how nation states may be able to break communications encryption.”

Experts encourage system and web administrators to disable export-grade cipher suites, and generate a new unique 2048-bit DH key group. A key to doing so can be found via

In addition, they are also urged to look out for browser updates, with developers also told to use the latest libraries and reject Diffie-Hellman groups shorter than 1024 bits. Google (which has already vowed to increase Chrome to 1024-bit), Mozilla and Apple are all set to deploy patches, with Microsoft already having done so for Internet Explorer.

Researchers have published proof-of-concept (IPOC) videos (logjam.html) and a guide to deploying Diffie-Helman for TLS (sysadmin.html).

Update: Robert Gonzalez, security expert at Red Lambda, told SC: “To mention LogJam simply justifies the carelessness and excuses the reasons LogJam became an issue to begin with. If you look at the natural progression of these security downgrades it was only inevitable that a man in the middle attack would form to take advantage of a deliberate vulnerability.

“LogJam is the cousin of Freak. The differences here is that Freak was an implantation flaw. Logjam is an actual flaw in the design of TLS itself. This affects most modern browsers and web servers. Before looking at how to protect ourselves as in most things with cyber security we should be asking the hard question “How did we get here?” he added, citing the Clinton Administration and the FBI reducing the strength of DHE_EXPORT cipher suites to prime numbers no longer than 512.

“We allowed the government to literally cripple encryption. This is why unbeknownst to them one can search for foreign encryption in the darknet to protect themselves from interlopers.

“The important thing to remember here is beyond the usual of keeping yourself current on updates and protected, developers also need to stop being lazy and use current libraries. Keep that encryption high – and setup your own VPN to thwart those who would harm you”.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews