Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

[El Reg] 'Logjam' crypto bug could be how the NSA cracked VPNs

Industry news items concerning VPNs, darknets, crypto, surveillance and secure computing.
User avatar

Topic Author
parityboy
Site Admin
Posts: 1206
Joined: Wed Feb 05, 2014 3:47 am

[El Reg] 'Logjam' crypto bug could be how the NSA cracked VPNs

Post by parityboy » Wed May 20, 2015 6:12 pm

Johns Hopkins crypto researcher Matthew Green thinks he might have an explanation for how the NSA attacked VPN services: flaws in how TLS implements Diffie-Hellman crytography.

In what's bound to be the next big branded bug, Green says servers that support 512-key “export-grade” Diffie-Hellman (DH) can be forced to downgrade a connection to that weak level. The server – and therefore the client – will both still believe they're using stronger keys such as 768-bit or 1024-bit.

Like so many things – including the similar FREAK flaw – the bug is ancient: a 20-year-old SSL bug that was inherited by TLS.

Green has hosted a site discussing what's being called "Logjam", Weakdh.org, with a detailed academic paper here (PDF).

Source


VirtuosicVagabond
Posts: 4
Joined: Tue Dec 30, 2014 11:48 pm

Re: [El Reg] 'Logjam' crypto bug could be how the NSA cracked VPNs

Post by VirtuosicVagabond » Wed Jun 17, 2015 10:42 am

I find it baffling that Chrome and Firefox haven't been patched for Logjam, but IE is patched.

I also find it baffling that pj or someone else didn't reply to this topic.

User avatar

marzametal
Posts: 431
Joined: Mon Aug 05, 2013 11:39 am

Re: [El Reg] 'Logjam' crypto bug could be how the NSA cracked VPNs

Post by marzametal » Thu Jun 18, 2015 4:06 pm

Their silence in recent weeks (don't have Twitter so don't know if they are active on there) is a bit worrying. Got dramas in Windows 3rd party security software outbound connection requests, which no one on Wilders or MalwareTips wants to address... things are gonna' get hectic.

Post Reply