Leave a comment

Check NOW if your browser is open to a new Heartbleed-style bug

Check NOW if your browser is open to a new Heartbleed-style bug
Photo courtesy of Shutterstock

You remember Heartbleed. It was the devastating flaw discovered last year in the backbone of Internet security. It let hackers peek around the security of millions of websites and servers.

Unfortunately, it's about to be topped by a new widespread security flaw called Logjam. Like Heartbleed, this attack is very technical and centers on a famous cryptographic technique called Diffie-Hellman. I won't go into much detail on that, but I will tell you the net result.

As you hopefully know, every secure website, from banks to shopping sites, encrypts the connection between the site and your computer to keep hackers from seeing the information you're sending and receiving. If you see an "https" at in your browser's address bar, such as "https://www.komando.com" that means the connection is encrypted.

However, if a hacker could break that encryption, he could steal your passwords, credit card information and other sensitive information going back and forth. Logjam lets hackers do just that.

As it stands, 8.4% of the top 1 million domains around the world are vulnerable to this attack. That's scary. What's scarier is that while there's a fast way to keep regular hackers from using Logjam, it won't stop the NSA or other countries.

Encryption comes in different strengths, and as you would expect, weaker encryption is easier to break. Logjam works by tricking websites into using 512-bit Diffie-Hellman encryption instead of the stronger 1024-bit encryption. Once a website is using 512-bit, it's easy for a hacker with good computers to crack.

Websites are fixing this by not allowing people to use anything less than 1024-bit encryption. In the same way, Chrome, Firefox, Internet Explorer and other browsers are getting updates so they won't connect to websites with less than 1024-bit encryption. Click here to see if your browser is vulnerable.

For now, if you use the browser checker it's going to say your browser is vulnerable. Check back after your next browser update, whenever that happens, to make sure it's fixed. Click here to find out if you need to update your browser.

OK, that's a simple solution. Unfortunately, it isn't the only problem with Diffie-Hellman. Again, the details are technical, but the upshot is that anyone with powerful computers, like the NSA, can crack the most common 1024-bit Diffie-Hellman encryption.

That lets the NSA potentially snoop on 17.9% of the top 1 million websites. In fact, according to Edward Snowden's leaked files, it seems the NSA has been using this method for a while now to spy on "secure" Internet traffic. That means other countries probably do as well.

Fixing that problem is going to be a bit harder. Some Web servers will need to move up to 2048-bit encryption, and in other areas will need to move to variations of Diffie-Hellman like the Elliptic-Curve Diffie-Hellman Key Exchange.

Unfortunately, there's not much you can do to help. For now, upgrade your browser when the update comes around to keep hackers at bay. Security experts and Web companies are going to have to figure out the rest.

Next Story
Source: The Next Web
View Comments ()
Millions of routers are at risk
Previous Happening Now

Millions of routers are at risk

Eew. I am NOT on board with Scrabble's new official words
Next Happening Now

Eew. I am NOT on board with Scrabble's new official words