After Heartbleed came Logjam. Those who work in technology will remember the Heartbleed vulnerability, which came to remind us that security is not a given in Internet. While IT is still trying to forget about the SSL vulnerability that caused them to run and not reach, researchers have discovered another major flaw in SSL called “Logjam” or in Greek “dead end” and it affects a number of fundamental web protocols .
The bug affects an algorithm called "Diffie-Hellman key exchange"Which allows protocols such as HTTPS, SSH, IPsec, SMTPS to exchange a shared key to create a secure connection.
Johns Hopkins University cryptanalyst Matthew Green discovered several weaknesses in the algorithm and published a technique report describing them in detail. You can read the academic paper from here (PDF).
Η attack allows man-in-the-middle by downgrading the security of connections to a lower level of encryption (512 bit) which can be read with relative ease.
This means that teams with large computational power at their disposal, like the NSA, could break even stronger encryption (768-bit or even 1024-bit.) Using the algorithm.
The study estimates that up to 8,4% of the top 1.000.000 websites are vulnerable, along with a huge number of email services and other systems.
You can check if the program Your browser is vulnerable from here. At the time of writing all major browsers are still open to the attack.
Google has begun already to develop a patch that will increase the SSL requirement in Chrome to 1024 bit.
For those of you who are server administrators, you should immediately follow the instructions (link at the end of the publication) that have been issued to protect your environment from Logjam bug.
For all others, do not surf on unfamiliar websites, or websites that suggest strangers.
All known browsers are affected by this vulnerability.