It’s a shame that several old security flaws that date back to as early as the 1990s continue to be uncovered by researchers in the 21st century, the latest of which being a critical vulnerability of the Transport Layer Security (TLS) protocol that enables an attack on the communication between a user and thousands of websites/mail server.
Majority of the websites, VPN servers and mail servers at present use the TLS protocol as a method of encrypting network traffic. But researchers from various groups and academic institutions including the Johns Hopkins University found that hackers could intercept the security protocol by lowering the encryption to a level that they can easily circumvent.
That has been made possible by an old TLS flaw called Logjam, first discovered in the 1990s but which up to now has not yet been patched.
It is easy for a potential attacker to conduct the attack, he or she only needs to use the same network such as a public WiFi to launch an attack. What’s more alarming is that the National Security Agency might also have used this vulnerability to spy on private individuals that use secure VPN connections.
At the heart of the flaw is the Diffie-Hellman algorithm ciphers used for encryption. Using this algorithm, the server establishes communication with the browser to find a shared secret key and decide on a secure connection in order to facilitate the communication.
It is hard to imagine how the vulnerability came up, because the Diffie-Hellman algorithm has been a highly secure method for encrypting network traffic due to the fact that its key can be changed constantly. In order to intercept the traffic based on this algorithm, each new key has to be cracked. But that would not be an easy task.
Luckily for hackers, the Logjam vulnerability strips the algorithm of strict measures and allows anyone with technical know-how to downgrade the Diffie-Hellman method’s 2048-bit prime numbers for key generation to only 512-bit primes.
That appears to be an easy task for the NSA, and researchers believe the spy agency can easily determine even the 1024-bit primes.
It all began in the 1990s, when the U.S. government banned the export of high-grade levels of cryptography products, thus requiring developers to provide only the lower levels of security products worldwide. This resulted in a weaker encryption that is now in wide use all over the globe.
The flaw can only be used through a man-in-the-middle attack, so it is more likely affecting a relatively fewer number of users. A patch is also already in the works.