Logjam Attack testing

[steven36]

By now you may of heard Of logjam .IE 11 has been patched . out of my test all browsers not patched pass if you are using uMatrix , Policeman or Noscript . will pass the test I tested 6 browsers . :)

Test is here

https://weakdh.org/

All browsers without these addons fail but IE tell there are patches .

Conclusion: If you use script blocking software that blocks out 3rd parties your not vulnerable to these attacks.

[ande]

Correct me if I am wrong but this is a server-side problem, client can't do shit. Client (browser) side fix is to "blacklist" all TLS services that support DHE_EXPORT cipher or by rejecting short DH parameters.

What script blocking has to do with any of this?

Edit:

I get it, you blocked js that was there to check if browser was vulnerable? :)

[steven36]

What Logjam does is trick you into taking a very low encryption standard . By a man in the middle attack .

To test whether your browser is vulnerable, point it to https://weakdh.org/. If you see a red warning banner, the Logjam attack will work on your browser, and you're in danger of having your secure Internet connections hijacked. The finders of the flaw estimate that roughly 10 percent of email servers and more than 8 percent of Web servers are also vulnerable.

Well if you block the script there using you pass the test . witch all these addons pre-blocked it.

Unlike FREAK and other ssl exploits, its very rare that you would come across this one anyway,s because someone needs to be on same network as you to send you the exploit .

Only its very dangerous if you use public Wi-Fi were other people are on the same network therefore there suggesting if you're using the Web on a public Wi-Fi network, stick to Internet Explorer witch has been patched.

[DLord]

Firefox is up-to-date but still fails! :angry:

[steven36]

Only way to pass the test is block script tell they patch it . anyways unless .your on a public wifi not much worry about

A Practical Logjam Attack

If you are not a nation-state or major university researcher, you will need to meet a few requirements to mount an attack using Logjam. Many of these requirements are not trivial.

1. You must be in place and ready to attack before the connection starts. This usually means being physical-ly close to one of the endpoints. Lurking in a cybercafé on the same WiFi as your victim is a classic example.
   
2. You have to select one or more specific victims in advance. You can’t hoover up all the data now and se-lect victims later. You can attack as many victims as you have computing capability, but you have to ac-tually attack them when they start their connections.
   
3. Both the victim’s client software (e.g., browser) and the server must support traditional Diffie-Helman key exchange and must support “export-grade” cipher suites.
   
4. You must be able to effectively man-in-the-middle the conversation. Typically you must be in between the victim and their Internet connection already.
   
5. You have precomputed parameters for the primes the server will choose. Like many rainbow tables for password hashes today, there may soon be lookup tables for RSA primes in circulation. For now, attack-ers must compute their own. Also like rainbow tables, we are confident that many “normal” people (not nation-states, not universities) have the computing horsepower to do this up to 512 bit primes in a rea-sonable amount of time.

As with all other cipher downgrade attacks the best way to prevent it is to disable weak ciphers in the first place. If weak ciphers are not available even a successful cipher downgrade will result in strong encryption.

Anyway its easy to fix just make all SSL were it want except keys lower then 2048-bit key ..Even if NSA try to crack it all you have to do is generate a new keys often and all there work would be lost and they would have to start over. :P

It is inexcusable to use or support “export grade cryptography” in any context any more.

Sadly many people still use weak IPSEC VPNs and some software support really weak 128 bit keys . Its been known for years these weak keys can be cracked its time to abolish these weak forms of encryption or fixing this exploit want do much good . It will just be more and more of them tell this 1990s style encryption is put out to pasture for good. :(

[Skunk1966]

there's a workaround for Firefox and Firefox-based browsers:

Disable the insecure ciphers here:

(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.

(2) In the search box above the list, type or paste ssl3 and pause while the list is filtered

(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)

(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)

That's it, you can test using: https://www.ssllabs.com/ssltest/viewMyClient.html

tested by me and it works

[Gabben]

too much of a huss. this is not a big deal don't panic

[212eta]

http://www.techsupportalert.com/content/security-attack-called-logjam-makes-browsers-vulnerable.htm