Originally posted on PandoDaily:
A newly-disclosed vulnerability undermines several common security protocols and leaves information sent over many connections vulnerable to surveillance. It’s called the Logjam bug, and it could affect thousands of sites and services.
The researchers who discovered the vulnerability guess that it might have been used by the National Security Agency to surveil its targets. It could also be used by other attackers who wish to “read and modify any data” someone is sending. Here’s how the researchers describe the problem on the vulnerability’s website:
Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections.
View original 320 more words