Researchers find new problems with ssl




Researchers have security vulnerabilities found in Diffie-Hellman, a protocol that is used in SSL and TLS to exchange keys. Therefore attackers can command a lower level of security. Both websites and mail servers, ssh and VPN connections are made.

Lack ssl The vulnerability is similar to the so-called Freak- vulnerability , which earlier this year came to light. In addition, attackers could force a lower level of security, because many Web servers and browsers have support for legacy encryption standards.

Normally, use a client and a server, the highest level of protection that is supported by both. In the case of Freak and the new vulnerability allows an attacker to force a lower however, now outdated level of security. Attackers can therefore easily decrypt the communication.

The big difference with the Freak vulnerability is sitting vulnerability in SSL implementations, which was only part of the users affected. The new vulnerability, researchers logjam baptized, however, is in the common Diffie-Hellman protocol, which is used for SSL and TLS to exchange encryption keys.

As a result, all systems that support the outdated encryption vulnerable. Below is just 8.4 percent of the 1 million biggest websites, say the researchers, but also a large number of mail servers: the encrypted versions of POP3, IMAP and SMTP lean on Diffie-Hellman. Also vpn servers and ssh connections at risk.

System administrators who after the Freak have armed attack by disabling outdated encryption suites, are also safe for the attack. However, most browsers have support for legacy suites. Web browsers are currently working on the release of patches for the problem; is currently only Internet Explorer patched. Users can visit the website of the researchers tested whether their browser is vulnerable.

Support for legacy encryption is a erfernis from the past: in the nineties, the US government banned the export of long encryption keys. Using shorter encryption keys did indeed intercept the messages easily. Although long encryption keys no longer be the wicked, is support for the short, obsolete keys for backwards-compatibility often still present.

The researchers have a more difficult to abuse, more theoretical problem found with Diffie-Hellman. Many compounds that rely on Diffie-Hellman are based on the same primes. The assumption is that it is safe enough, but the researchers deny that. A prime number of 768 bits, according to the researchers, be cracked by a research team, and a prime number of 1024 bits by a government.

Is that cracked prime, then the movement of 18 percent of the 1 million most https websites could be intercepted, as well as 26 percent of ssh servers and up to 66 percent of the ipsec-vpn servers. The researchers therefore recommend sysadmins to use unique primes, with a length of 2048 bits.

Since April 2014 came many serious vulnerabilities in SSL and SSL implementations to light. Underneath was Heart Bleed , which attackers could read the internal memory of a server with OpenSSL. Also found researchers from Google a vulnerability in SSL 3.0, allowing javascript instance cookies could be intercepted.


In: A Technology & Gadgets Asked By: [23167 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »