A newly disclosed flaw in Internet encryption leaves Web browsers vulnerable to hackers who could intercept secure traffic, spy on banking transactions and hijack Facebook accounts.
As of this writing, Tuesday morning (May 20), only Microsoft Internet Explorer among the major Web browsers has been patched against the new flaw, the exploit of which has been dubbed the Logjam attack. The latest versions of Google Chrome, Mozilla Firefox and Apple Safari are vulnerable on Windows, OS X, Android and iOS. (Ironically, an old version of Safari for Windows, which is no longer developed or distributed, was safe.)
To test whether your browser is vulnerable, point it to https://weakdh.org/. If you see a red warning banner, the Logjam attack will work on your browser, and you're in danger of having your secure Internet connections hijacked. The finders of the flaw estimate that roughly 10 percent of email servers and more than 8 percent of Web servers are also vulnerable.
A representative of Google told The Wall Street Journal that Chrome would be patched within weeks, while Mozilla told the newspaper that Firefox would be safe within a few days. Tom's Guide has reached out to Apple for information about the Safari patch schedule and will update this story with any response.
However, Tod Beardsley of Boston-based information-security firm Rapid7 downplayed the dangers that Logjam poses to the average person.
"The only two groups really in a position to take advantage of this vulnerability are (1) criminals on coffee-shop Wi-Fi networks and (2) state actors [such as the NSA] who already control a huge chunk of the local Internet," Beardsley said in an email. "[The] usual rogues' gallery of Internet criminals are not really a risk here."
Logjam is similar to the FREAK flaw disclosed earlier this year in that it forces the two ends of an encrypted communication to both downgrade their security.
Encrypted communication always requires a bit of a dance between the two parties at the onset of the exchange, as they negotiate which form of encryption to use. Because not all software supports all forms of online encryption (there are dozens), both parties must settle for the lowest common denominator.
Both Logjam and FREAK trick the parties into settling for something very low indeed — encryption standards from the 1990s that are long out of date. The attacks differ in the tricks they use and the part of the online encryption protocols they abuse.
Because the flaw behind Logjam lies deep within the most commonly used online encryption standard, whereas Freak exploited an outmoded implementation, Logjam will take longer to patch. In the meantime, if you're using the Web on a public Wi-Fi network, stick to Internet Explorer.
"Cryptography makes certain promises about confidentiality, and this vulnerability violates that trust," Beardsley said. "When a browser shows the user a green lock icon, it should mean that nobody — not even state actors — can listen in on that connection."
- 7 Ways to Stop NSA Spying on Your Smartphone
- How to Encrypt Your Files and Folders
- Best Identity-Theft Protection Services