Security Attack Called Logjam makes Browsers Vulnerable

toggle-button

Secure web browser imageA security hole in many major browsers called "logjam" is being reported. The attack makes use of a weakness in a cryptographic algorithm used to make connections secure. If you go to the site reporting the exploit, it will tell you if your browser is vulnerable to the attack. Browsers are supposedly preparing updates but as of this writing I found my Windows browsers Chrome version 43.0.2357.65 m (64-bit) and Firefox version 38.0.1 to be vulnerable. Both claim to be up to date. My iPad Safari browser and my Android 5.0 browser were also rated vulnerable. Internet Explorer update version 11.0.19 was rated as not vulnerable.

Keep checking to see if updates are available. In the meantime, be aware that your supposedly secure browsing may not be secure. More information here. Security expert Bruce Schneier reports that this exploit may have been used by the NSA.

Added:  An alternate test site can be found here: https://www.ssllabs.com/ssltest/viewMyClient.html

Get your own favorite tip published! Know a neat tech tip or trick? Then why not have it published here and receive full credit? Click here to tell us your tip.


This tips section is maintained by Vic Laurie. Vic runs several websites with Windows how-to's, guides, and tutorials, including a site for learning about Windows and the Internet and another with Windows 7 tips.

Click here for more items like this. Better still, get Tech Tips delivered via your RSS feeder or alternatively, have the RSS feed sent as email direct to your in-box.

Please rate this article: 

Your rating: None
4.689655
Average: 4.7 (29 votes)
toggle-button

Comments

well, my 40some windows and 300some tabs (excessive. i know.) prompted me to install the beta 64bit windows firefox, which is v40.0.
In this version of firefox:

Qualys SSL Client Test <hxxps://www.ssllabs.com/ssltest/viewMyClient.html>
reports :
"Logjam Vulnerability (Experimental)
Your user agent is not vulnerable."
good :)

however when i click on their "test manualy" (for logjam) <hxxps://www.ssllabs.com:10445/>
i get :
Secure Connection Failed

An error occurred during a connection to www dot ssllabs dot com:10445. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

This report is from FIREFOX Not ssllabs.com !

This is with
security.ssl3.dhe_rsa_aes_128_sha TRUE
and
security.ssl3.dhe_rsa_aes_256_sha TRUE

When i switch both to false
1. i can get into the other website that also gave me the ssl_error_weak
2. however ssllabs test manually <hxxps://www.ssllabs.com:10445/>
gives another error:

Secure Connection Failed

An error occurred during a connection to www.ssllabs.com:10445. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

I think that error might mean success? meaning, safe. perhaps?

(BTW These are all the same ssllabs links that they were in May)

i have 'No Script' DISABLED and FF 38.0.1 passed @ both test sites. I have the (3) Adblock addons installed but, I don't really know what could help or hinder. I also did the about:config settings.

Diffie-Hellman ... horse hooey, better to use Joe Diffie instead.

To Firefox users last version:
about:config
Search ssl3
Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)
That's it, you can test using: https://www.ssllabs.com/ssltest/viewMyClient.html
From Mozilla Foruns (thanks jscher2000)

605pm EDT 5/25/2015 https://weakdh.org/ i got

The connection has timed out
The server at weakdh.org is taking too long to respond.

EDIT: http://isup.me/weakdh.org says
"It's not just you! http://weakdh.org looks down from here."

They are probably getting bombarded.

https://www.ssllabs.com/ssltest/viewMyClient.html
and
https://www.ssllabs.com:10445/ (what Qualys calls "test manually")
both work fine.

and my FF 38.0.1 is reported vulnerable. I have Extensions Cookie Monster, and Disconnect, but don't have noscript nor AdBlock.

I would have thought that today's Chrome update (which I haven't received yet) would correct this, but there's nothing about it that I can see in the detailed log:
http://googlechromereleases.blogspot.com/2015/05/stable-channel-update_25.html

It doesn't look like it's going to be in FF 38.0.5 either since the current RC build of it doesn't address it (workaround is easy enough though).

This is confusing - the weakdh.org site reports my Win7x64 desktop running FF v38.0.1 as not vulnerable, but the Qualys SSL Labs site reports the 'user agent' is vulnerable to Logjam. Left wondering if this is a case of some technical "Who's on first?" routine with a rapidly-evolving threat vs. incremental browser updates....

That reads like your browser has been tweaked (by an Add-on or manually) to block the vulnerability, whereas most/vanilla versions of FF38.01 are vulnerable.

I'm running a variety of protective add-ons (NoScript, PrivacyBadger, HTTPS Everywhere, Adblock Edge + a few others), so perhaps it's one of those...

I don't think it would be AdBlock, the other 3 look much more likely, esp NoScript and HTTPS Everywhere.

The only active scripts being blocked on that page by NoScript are Googletagmanager and Googletagservices, which I don't (and won't) allow to run anywhere.

When I clicked the Read More link (http://www.techsupportallert.com/content/security-attack-called-logjam-makes-browsers-vulnerable.htm) in the email, I got a page not found error. The link spells alert with two el's

Hmmm. Opera 12.17 shows Not Vulnerable to Logjam, but fails the "Protocol Support" section.

budchekov changing ssl3 worked for firefox but not palemoon

Pale Moon Commander enables you to change these settings: http://www.palemoon.org/commander.shtml

Several other threads on this topic in the forums there: https://forum.palemoon.org/index.php

Go to the PM forum and ask why?

See here folks, either an Extension....or changing the two about:config preferences mentioned WFM on latest release and Beta.

http://forums.mozillazine.org/viewtopic.php?f=38&t=2935955

Thanks for the link, budchekov. One of the posts there gives an alternate test site that I am adding to the article.

Weird, I believe you Joe. I am on firefox 38.01 too but vista 32bit and my result is reporting I am unsafe too like Vic. It must be one

of the addons you are using and/or  this test is not good enough.

 

 

So how come I am on Firefox 38.01 (same as you) and it tells me I am safe? I am on W8.1 x64 Update and I am using uBlock Origin with NoScript (but I had to temporarily allow the site to do the test). Still, why should my test results be different to yours?

Joe, I tried the test in both Windows 7 64-bit and Windows 8.1 64-bit. Both said my FF 38.0.1 was unsafe. I also have add-ons and had to disable NoScript since the test uses JavaScript.

Then something is wrong with the test.

[Edit]
I just tried weakdh.org again and the result is the same. On trying Qualys SSL Labs it tells me everything is safe except Logjam which is experimental and labeled as that. In the end, I still think something is wrong with both tests.

What happens if you run the test using FF in safe mode?

If I do the test in Safe Mode it then tells me I'm vulnerable. I suppose one of my addons is interfering the test. Do you think I should disable the 2 SSL settings in about:config as mentioned in the link provided by budchekov?

Joe, I don't know if if an add-on is interfering with the test or may actually be protecting you. Maybe somebody who knows more can tell us. As for the settings in about:config, I am not sure exactly what they do but it seems reasonable to change them. If the change causes trouble, they can be reset.

Okay, thanks.