What happens when the government deliberately weakens and attacks encryption?

In the midst of a renewed debate on American encryption laws, research released on Tuesday reveals two new cyberattacks collectively known as Logjam that affect tens of thousands of the most popular websites. It also shows how Bill Clinton-era encryption laws and George W. Bush-era NSA attacks on encryption have made the Web less secure today, and it likely disproves the U.S. government’s promise that it makes all crucial Internet vulnerabilities public.

The first part of the Logjam attack, like the Freak bug before it, allows an attacker to downgrade vulnerable connections to relatively weak 512-bit encryption that can be easily eavesdropped on or modified by a third party.

This is a direct consequence of 1990s American laws that limited the strength of exported encryption to 512 bits. The laws were designed so that American spies could more easily eavesdrop on foreign targets. The restrictions were eventually lifted after much resistance, but the consequences are still felt today due to widespread use of the weaker encryption.

“Logjam is once again a very clear reminder of why weakening cryptography is a very bad idea,” researcher J. Alex Halderman said in a phone interview. “The vulnerability is a direct result of weakening cryptography legislation in the 1990s. Today, thanks to Moore’s law and improvements in cryptanalysis, the ability to break that crypto is something really anyone can do with open-source software.”

“A lot of people weren’t interested in upgrades and fixes because they thought the threat wasn’t realistic.”

The second facet of the Logjam attack shows that higher-grade cryptography of up to 1024-bits are vulnerable and likely current under attack by state-sponsored hackers, like those at the National Security Agency.

As a result of state-sponsored hacking attacks as well as the use of low-quality cryptography being used on a significant scale across the Internet, tens of thousands of the world’s most popular websites, about 8.4 percent, are vulnerable to attack. Also vulnerable are tens of thousands of email servers and 66 percent of virtual private networks (VPNs), which are specifically designed to protect a user’s privacy from eavesdroppers.

What this means for the average Web user is that encryption that was meant to keep you safe and your data private—technologies like HTTPS, SSH, and VPNs—is likely being broken by the millions by the NSA, not to mention other countries with the resources to do so.

Earlier this year, Der Speigel revealed Edward Snowden leaks that showed the NSA could passively decrypt VPN traffic, but they didn’t explain how. The Logjam researchers spent months diving into the Snowden papers and are now asserting that, after millions of dollars of investments on the part of American intelligence, Logjam is how the NSA likely attacks encryption across the Web.

The NSA’s likely use of the Logjam attack to break millions of encrypted connections runs counter to the U.S. government’s promise that it makes public the vast majority of discovered zero-day exploits (i.e. vulnerabilities previously unknown and unpatched by the software vendor).

Why is low-quality cryptography used so widely? Two reasons: It takes time and money to fix with an upgrade to stronger encryption, of course, and many experts didn’t think anyone could successfully break it.

“The issue is that, before Snowden went the press, there were many smart computer experts who were happy to dismiss the idea that the NSA was doing anything like this,” says Christopher Soghoian, principal technologist at the American Civil Liberties Union.

“If you had a conversation with engineers building your systems and said that the NSA is probably monitoring everything we do, they’d probably write you off as paranoid,” he adds. “A lot of people weren’t interested in upgrades and fixes because they thought the threat wasn’t realistic.”

There’s a stark difference in the way security and cryptography was handled before and after Snowden. The consequences of pre-Snowden naivete are still with us today.

All major Web browsers are affected by Logjam. Google Chrome, Mozilla Firefox, Microsoft Internet Explorer, and Apple Safari are all deploying fixes for the Logjam attack, according to the researchers. Internet Explorer has already been upgraded.

Research team: NSA may be able to decrypt connections to 66% of VPN servers. Totally nuts. https://t.co/m8QkuNdiD2 — Christopher Soghoian (@csoghoian) May 20, 2015

“Logjam shows us once again why it’s a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for,” Halderman told Ars Technica. “That’s exactly what the U.S. did in the 1990s with crypto export restrictions, and today that backdoor is wide open, threatening the security of a large part of the Web.”

Attacking even higher grade encryption, up to 768- or 1024-bit, is within the capabilities of state-supported hackers, including America’s National Security Agency, the Logjam researchers say.

https://twitter.com/csoghoian/status/600890125661372416

“In the 1024-bit case, we estimate that such computations are plausible given nation-state resources, and a close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break,” the researchers explained. “We conclude that moving to stronger key exchange methods should be a priority for the Internet community.”

The new research provides a strong answer to critical questions raised by Snowden’s leaks that showed the NSA breaking millions of encrypted connections. Experts have long wondered how, and the Logjam attack is a powerful explanation.

Logjam came to light just hours after the biggest tech companies on Earth, including Google, Apple, Facebook, Twitter, and more wrote an open letter to President Obama urging him to oppose any legal mandates for backdoors in encryption.

“The take home for this story is that encryption is really difficult.”

“We decided it was time for the Internet community … to draw a line in the sand,” said Kevin Bankston, policy director at the New America’s Open Technology Institute, which organized the letter. “We’re calling on Obama to put an end to these dangerous suggestions that we should deliberately weaken the cybersecurity of American products and services.”

Many of the biggest companies involved in the letter were aware of this vulnerability before it was released to the public, so that they could fix it. The timing of the letter immediately followed by the disclosure of this new attack hardly seems like a coincidence.

Instead, it’s the next move in an increasingly political battle over the future of encryption. On the other side of the fight are people like FBI Director James Comey who want to legally mandate inserting backdoors into encryption by American companies, like Apple’s iOS and Google’s Android mobile operating systems, which encrypt users’ devices by default.

Experts have long argued that the consequences of such legislation would make the Internet less secure. Logjam is the cybersecurity community’s proof that it does.

“The backdoor might have seemed like a good idea at the time,” J. Alex Halderman said. “Maybe the arguments 20 years ago convinced people this was going to be safe. History has shown otherwise. This is the second time in two months we’ve seen 90s era crypto blow up and put the safety of everyone on the internet in jeopardy.”

“Any unintentional flaws that are created as a part of this process will not be discovered for months or years after the fact,” Soghoian said. “The take home for this story is that encryption is really difficult. It’s really hard for technical experts to get these things right under the best circumstances. Trying to build it with government restrictions is impossible.”

You can read the research in full here:

H/T Chris Soghoian | Illustration by Max Fleishman