New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
LOGJAM SSL bug - New Threat
Source: https://weakdh.org/
Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.
We have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed
Here is a work-around for sysadmins: https://weakdh.org/sysadmin.html
Comments
I'm pretty sure DH key exchanges are used for WPS, too. Interesting.
I read about a possibility of a possibility for this a long time ago, so I had already done all that...
Wps is way, way more broken than this.
My side project tries to give secure default settings for all major webservers and other software (like haproxy, mysql, mailservers etc): https://cipherli.st/
From the start it has listed the suggestion to set up >2048 DH keys.
If you want to test your site for export ciphers, you can try my other side project: https://tls.so/ - you can also use the SSL labs test but mine is faster for just testing ciphersuite. (And it's open source, so you can use it internally as well).
Mozilla also has a good wiki page for SSL settings: https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_ciphers "AES128+EECDH:AES128+EDH";
Why exclude so many ciphers including AES256?
I've found the nginx config on cipherli.st not to be accurate myself. It didn't get a good score.
When I changed the ciphers myself, with some tweaking, I ended up with an A+ on SSLLABS.
AES256, whilst secure, is largely pointless, to be honest - there's no indication that AES128 is weak in any shape or form. I personally disable AES256 as IMO, there's no need to take the performance hit for no tangible benefit.
You're absolutely fucking kidding me right? Encryption is pointless? Boy you're stupid.
xyz is saying AES256 is to heavy on resources to be used. He is not saying encryption is pointless.
I'm so over these SSL vulnerabilities. I'll just start using plain text so everything is secure :P
I guess it is heavier than AES128? I have not noticed any side effects using AES256..
Unless the difference in performance is in the factor of 10-100x more the cost of block encryption is unlikely to have any noticible effect.
The increased block size may, but 256 is still pretty manageable. 512 or 1024 (small flush overhead) and the overheads would be more noticible.
You can run your own tests to verify:
openssl speed -evp aes-128-cbc aes-256-cbc
But as SplitIce said, most websites probably won't notice a difference in performance since the key exchange will dominate symmetric crypto for small transfers.
In other words, it's somewhat of a moot point whether you enable/disable AES256 - you get negligible security benefit at a negligible speed cost (unless you're serving large downloads).
AES128 and AES256 use the same block size (128 bit). AES is not defined for 512/1024 bit keys.
Thx, the factor is 10 for me. However, I recall checking once in the past with a fast and large file download and think my result was that CPU load depended mainly on the key length of the certificate. Can anyone confirm this?
I think I have only (EC)DHE AES256 SHA256/SHA384 enabled, use a 8192bit RSA certificate with 4096 bit DH params and CPU load is not extraordinary at all. (~0.5% of one core per MByte/s download speed)
In my humble opinion, vulnerabilities like this one show that one should rather just set everything to paranoid mode...
You can fix your firefox by going to about:config and setting everything with "security.ssl3.dhe" to false. Then weakdh.org will say "Good News! Your browser is safe against the Logjam attack. "
For large downloads, the hash/private key crypto would likely dominate the key exchange.
Though there's a number of possible factors, including whether your CPU supports hardware accelerated crypto.
8192bit RSA is quite extreme though. Most root certs I've seen only do 4096 bit.
So sounds like a speed of 200MB/s. Can't really say if that's good without knowing the CPU. Also, I presume AES is running in GCM mode there?
I'd disagree. Crypto strength is actually rarely the problem (or solution) - it's almost always implementation faults where vulnerabilities lie.
Only getting a "B (70)" score at ssllabs with this, due to:
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
Mine is A+ (95) with good compatibility:
Heh, my nginx powered webserver (@ https://b.unni.es) makes ssllabs happy:
https://www.ssllabs.com/ssltest/analyze.html?d=b.unni.es
And https://weakdh.org/sysadmin.html's server test says:
Good News! This site is safe from the Logjam attack. It supports ECDHE, and does not use DHE.
test.com is vulnerable tho. funny.
At the price of excluding any Android earlier than 4.4, any IE earlier than 11, and all versions of Java.
Not so good. It excludes IE & Java Browsers. Mine is good ^_^ : https://www.ssllabs.com/ssltest/analyze.html?d=rcpcbd.com