A team of researchers has released details of a new attack called “Logjam.” This attack enables a man-in-the-middle attacker to downgrade the connection between the client and the server to an easier-to-break cipher. Many servers support these weaker ciphers, though there is no practical reason to support them. The solution is to simply not support any ciphers that are easy to break. In fact, the browser makers are doing that right now.
The offending ciphers, Export Diffie-Hellman ciphers, can be found in
HTTPS, SSH, VPN, mail, and many other servers. This does not, however,
mean that you are vulnerable, or that you need to panic. Exploiting
this vulnerability requires man-in-the-middle and a high level of
sophistication. The real risk is relatively low on this issue compared
to Poodle or Heartbleed. You should simply test your TLS endpoints to
ensure that they do not support any weak ciphers. If you took this step
back when FREAK came out, you are likely already okay.
The specific ciphers to disable for this attack are DHE_EXPORT
ciphers (or “EXP-EDH-” ciphers). But go ahead and disable all weak
ciphers, while you’re at it.
All WhiteHat Sentinel dynamic testing services (BE, SE, PE, PL,
Elite) now report the use of export ciphers as part of reporting on weak
ciphers, and specifically call out the ciphers that are a concern for
Logjam.
The research team that released the report has also set up a page to test your servers here: https://weakdh.org/sysadmin.html.
Remember that when you test a hostname, you are really testing the
TLS endpoint for that connection, which may be a load balancer or
firewall, and not your application server.
0 comments:
Post a Comment