IT Focus Area: Security
May 20, 2015
New "LogJam" Encryption Flaw Puts Websites, Mail Servers, and Other Internet Services at Risk
Through follow-up investigations into the FREAK OpenSSL vulnerability, security experts have found a new encryption flaw.
The newly discovered SSL bug—called LogJam—lies specifically within an algorithm called the “Diffie-Hellman key exchange.” LogJam can allow the encrypted connection between a user and a Web or email server to be significantly weakened. Malicious actors can use it to trick a Web server into thinking it is using a stronger encryption key when it isn’t. Attackers can then collect the weakly encrypted data traffic and easily decrypt it.
Approximately 8 percent of websites on the Internet are vulnerable to LogJam, along with email servers and other systems (many email servers weren't updated after FREAK).
How Can You Protect Your Enterprise?
Companies that patched their software to address the FREAK flaw will not be vulnerable to LogJam.
News of the flaw has been quietly circulating, and Microsoft fixed its Internet Explorer browser last week. Patches for Chrome, Firefox and Apple’s Safari browser should be released soon.
If your organization is operating Web servers, follow these step-by-step instructions to ensure you’re protected.