Tens of thousands of HTTPS-protected websites, mail servers, and other widely used Internet services are vulnerable to a new attack that lets eavesdroppers read and modify data passing through encrypted connections, a team of computer scientists has found.

The vulnerability affects an estimated 8.4 percent of the top one million websites and a slightly bigger percentage of mail servers populating the IPv4 address space, the researchers said. The threat stems from a flaw in the transport layer security protocol that websites and mail servers use to establish encrypted connections with end users. The new attack, which its creators have dubbed Logjam, can be exploited against a subset of servers that support the widely used Diffie-Hellman key exchange, which allows two parties that have never met before to negotiate a secret key even though they're communicating over an unsecured, public channel.

The weakness is the result of export restrictions the US government mandated in the 1990s on US developers who wanted their software to be used abroad. The regime was established by the Clinton administration so the FBI and other agencies could break the encryption used by foreign entities. Attackers with the ability to monitor the connection between an end user and a Diffie-Hellman-enabled server that supports the export cipher can inject a special payload into the traffic that downgrades encrypted connections to use extremely weak 512-bit key material. Using precomputed data prepared ahead of time, the attackers can then deduce the encryption key negotiated between the two parties.

"Logjam shows us once again why it's a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for," J. Alex Halderman, one of the scientists behind the research, wrote in an e-mail to Ars. "That's exactly what the US did in the 1990s with crypto export restrictions, and today that backdoor is wide open, threatening the security of a large part of the Web."

It wasn't supposed to be this way

Ironically, Diffie-Hellman is supposed to provide an additional layer of protection because it allows the two connected parties to constantly refresh the cryptographic key securing Web or e-mail sessions. The so-called perfect forward secrecy that Diffie-Hellman makes possible significantly increases the work of eavesdropping because attackers must obtain the key anew each time it changes, as opposed to only once with other encryption schemes, such as those based on RSA keys. Logjam is significant because it shows that ephemeral Diffie-Hellman—or DHE—can be fatal to TLS when the export-grade ciphers are supported. Logjam is reminiscent of the FREAK attack that also allowed attackers to downgrade HTTPS connections to 512-bit cryptography.

According to this informational site established by the researchers, only Internet Explorer has been updated to protect end users against Logjam attacks. The researchers said they have been working with developers of major browsers and that Chrome, Firefox, and Safari are also expected to implement a fix that rejects encrypted connections unless the key material contains a minimum of 1024 bits. Updates are expected to be available in the next day or two, and possibly much sooner. Information on vulnerable end-user e-mail programs wasn't available at the time this post was being prepared.

According to the researchers, an estimated 8.4 percent of the top 1 million Web domains are vulnerable, and 3.4 percent of HTTPS-supported websites overall are susceptible. E-mail servers that support simple mail transfer protocol with StartTLS, secure POP3, and IMAP are estimated to be vulnerable in 14.8 percent, 8.9 percent, and 8.4 percent of the cases respectively.

To exploit vulnerable connections, attackers must use the number field sieve algorithm to precompute data. Once they have completed that task, they can use it to perform man-in-the-middle attacks against vulnerable connections in real time. Using academic-level hardware, the researchers required just two weeks to generate data needed to attack the two most commonly called prime numbers 512-bit Diffie-Hellman uses to negotiate ephemeral keys. Those two data sets allow the attackers to compromise about 92 percent of sites supporting the export cipher. It wouldn't require much additional work to generate data needed to attack the remaining sites.

Snowden revelations revisited

The work required to precompute data needed to attack 768- and 1024-bit primes is orders of magnitude harder, but the researchers said the load is nonetheless within the means of state-sponsored eavesdroppers. In a research paper titled Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice, the researchers speculate the technique may be the means the National Security Agency reportedly uses to routinely break millions of encrypted connections. Documents leaked by former NSA subcontractor Edward Snowden revealed the mass crypto attacks but didn't say how they're carried out. Besides attacking HTTPS-protected Web and e-mail sessions, the researchers said, the same technique may be used to break SSH and VPN connections, too.

"The technical details of our attack have also let us look at some of the leaked NSA documents in a new light, and give an explanation consistent with the documents and our experiments of how the NSA might be breaking certain crypto protocols on a wide scale," Nadia Heninger, a scientist at the University of Pennsylvania and an author of the paper, wrote in an e-mail.

In the short term, the researchers recommend all server administrators disable support for the DHE_EXPORT ciphersuites that allow Diffie-Hellman connections to be downgraded. The researchers have provided a guide with step-by-step instructions for securely deploying Diffie-Hellman in TLS. And of course, they also strongly encourage all end users to install browser and e-mail client patches that enforce minimum restrictions on the primes used to negotiate ephemeral keys. Over the longer term, they say, developers should transition to so-called elliptic curve Diffie-Hellman key exchange, since the scheme is less vulnerable to precomputed attacks.

Logjam continues a trend begun a few years ago of using catchy words or phrases to name vulnerabilities or the attacks that exploit them. Thankfully, this vulnerability disclosure wasn't accompanied by a logo, and the dedicated website offers a wealth of important information without any hype. Halderman told Ars the name is a pun on the "discrete log" mathematical operation used to break the weak keys. "But the name is also an allusion to the fact that these '90s-era export ciphers are part of an immense amount of technical debt that's built up in our crypto protocols," he added in an e-mail. "There's just too much dead wood that's accumulated over the years."