Information about the Logjam Attack

Discussion in 'Announcements' started by PP Daniel, May 21, 2015.

  1. PP Daniel

    PP Daniel Staff Member

    Security researchers have found several weaknesses in the deployment of the Diffie-Hellman key exchange which is used in many protocols like HTTPS, SSH, IPsec, SMTPS and TLS.

    These weaknesses have some implications for VPN users. The following information is a summary of what you should be aware of to keep your computer and connections as secure as possible.

    OpenVPN: OpenVPN connections with Perfect Privacy are not vulnerable to the Logjam attack as we use 4096-bit encryption keys which are still assumed non-breakable.

    IPSec: According to the report, IPSec connections are vulnerable if the IKEv1 protocol is being used. This may be the case if you are using mobile devices running iOS or Android. The Perfect Privacy VPN Manager for Windows uses IKEv2 and should not be vulnerable. This issue cannot be fixed from our side as it depends on the IPSec implementation of the underlying operating system. We recommend using OpenVPN instead, where strong encryption keys are enforced.

    SSH: Current SSH clients like Putty or ssh for linux use ECDHE (Elliptic-Curve Diffie-Hellman) for key exchange, which is not vulnerable to the attack. However, if you have imported public ssh keys with older ssh clients, the connection may still be using Diffie-Hellman. If in doubt you can remove you accepted host keys and import them again with an updated ssh client.

    Web server: We have updated our web servers so they all use 2048-bit keys. You can verify this on the server test site at weakdh.org. Please note that checkip.perfect-privacy.com is not yet updated, this will happen in the near future.

    Browser: Current browsers may still be vulnerable to the Logjam Attack when using ssl connections, you can check this on https://weakdh.org/. However, all major browsers will provide updates for this issue soon and they should be applied automatically once available.

    Kind regards,

    Your Perfect Privacy Team
     
  2. bokkenrijder

    bokkenrijder Junior Member

    Firefox 38.0.1 is vulnerable to the logjam exploit.
    Logjam workaround firefox.

    http://forums.mozillazine.org/viewtopic.php?f=38&t=2935955

    Disable the insecure ciphers here:

    (1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.

    (2) In the search box above the list, type or paste ssl3 and pause while the list is filtered

    (3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)

    (4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)

    That's it, you can test using: https://www.ssllabs.com/ssltest/viewMyClient.html
    and: https://weakdh.org/