LogJam bug exposes encrypted browser data

May, 21, 2015 Branden Spikes

A new flaw in encrypted browser traffic dubbed "LogJam" has been revealed which, like BREACH and FREAK before it, exposes encrypted data to man-in-the-middle snooping. This is a great opportunity to yet again extol the benefits of our AirGap approach, but this problem is really bigger than that.

The standard browser vendors have begun working on solutions to this by removing the old low-strength encryption functionality. It's a good move for browsers to raise the bar on encryption key strength as compute power increases, and hackers gain access to botnets and cryptocurrency mining devices which make key cracking a bit too trivial for comfort. I think you can probably blame this archaic support for weak keys on the US cryptography export laws, which are hopefully well enough in our rear view mirror by now to move on.

What really concerns me about LogJam though, and such vulnerabilities giving hackers access to encrypted web traffic is that it further exposes browsers to "watering hole" attacks. Imagine if attackers gain credentials and access to content authoring suites at popular websites, and use this access to maliciously customize trusted content to spread malware via drive-by without any need for phishing.

It's great that browsers are getting patched to address this, but now the burden rests with users and IT professionals to distribute the patches. I think the task of updating billions of browsers on all platforms, including those browsers nested within mobile apps and IOT devices, might be daunting and take a long time. Suffice to say if LogJam gets exploited in the wild, we're in for quite a busy summer. Centralized and efficient control of browsers should be top of mind for network administrators.

Branden Spikes, CEO CTO and Founder, Spikes Security

Keep informed.