LOGJAM Vulnerability
A recent flaw has been discovered that affects TLS (Transport Layer Security) that is commonly used to encrypt traffic between websites and browsers (known as HTTPS), as well as SSH, IPsec, SMTPs, and other security protocols that rely on TLS. This new vulnerability (named “LOGJAM”) uses a Man-In-The-Middle (MITM) exploit to downgrade supposedly forward secrecy secure traffic to weaker and unsafe encryption keys (in most cases 512 bit keys, but in some cases as low as 16 bit). First disclosed on May 19th by the University of Michigan, this vulnerability is due to a 1990’s era U.S. federal enforcement of weak “export-grade” ciphers using the Diffie-Hellman key exchange. The vulnerability affects any computer that still supports the DHE_Export ciphers.
Scarab Media performed a vulnerability assessment and found that all of our servers are not vulnerable to this exploit due to modifications we had previously performed on our servers to mitigate the BEAST vulnerability back in 2011. Your eCommerce websites hosted at Scarab Media are verified to already be protected against the LOGJAM vulnerability and nothing further needs to be done to prevent LOGJAM attacks on your website, or to maintain PCI-DSS Compliance.
You can verify that your eCommerce website is secure by running the utility at Qualsys SSL Server Test .
However, this vulnerability does not affect just Servers and websites. It also affects all web browsers. Currently Microsoft Internet Explorer is the only web browser unaffected by this vulnerability, although Google Chrome (including Android Browser), Mozilla Firefox, and Apple Safari are planning on pushing out updates to their browsers to secure it as well. Make sure you have the most recent version of your browser installed, and check for updates frequently.
For more information on the LOGJAM Vulnerability see the following articles:
