Clearing out LogJam bug 'could block 20,000 websites'
The critical security flaw takes advantage of shorter encryption keys, which old websites still rely on
A software update to fix the security flaw known as LogJam could result in tens of thousands of websites becoming inaccessible, according to the Wall Street Journal.
The bug affects all modern browsers, including Firefox, Safari, Internet Explorer and Chrome, when they try to connect to websites that use a security protocol called Diffie-Hellman.
Fixing it could break around 20,000 websites that are older and whose code hasn't been updated regularly enough.
The security flaw potentially allows hackers to carry out man-in-the-middle attacks by shortening encryption keys when data is transferred between the user's browser and the website over a supposedly secure connection.
Prof Alan Woodward, a cybersecurity expert at the University of Surrey, told BBC News that browsers are likely to fix the bug by blocking shorter encryption keys, which are now outdated.
But he warned: "Some older web servers might then be prevented from starting a secure conversation with the updated web browsers as they would support only that older, shorter, weaker key lengths."
According to the researchers who discovered it, around eight per cent of the top million websites in the world, including email services, are vulnerable to a LogJam attack.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The LogJam bug is a legacy of US export restrictions on cryptographic tools during the 1990s, which limited how complex encryption codes in international versions of American-made software could be.
While these rules were later relaxed, the vulnerabilities lived on undetected for 20 years, even as technology supposedly became more secure.
It is also similar in nature to the Heartbleed bug, which was discovered in April last year, and FREAK, which was discovered last month, in that all three affect SSL/TLS secure data transfer protocols.
Did the NSA use LogJam?
The researchers who discovered LogJam have hypothesised that the NSA was aware and made use of the bug to crack into virtual private networks (VPNs) using a system called Turmoil - a practice revealed in papers leaked by whistleblower Edward Snowden.
"Our calculations suggest that it is plausibly within NSA's resources to have performed number field sieve precomputations for at least a small number of 1024-bit Diffie-Hellman groups," the researchers said.
"This would allow them to break any key exchanges made with those groups in close to real time. If true, this would answer one of the major cryptographic questions raised by the Edward Snowden leaks: How is NSA defeating the encryption for widely used VPN protocols?"
Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.
Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.