Another crypto downgrade attack: Logjam
Another crypto downgrade attack: Logjam
Posted May 21, 2015 7:24 UTC (Thu) by nmav (guest, #34036)Parent article: Another crypto downgrade attack: Logjam
The paper looks like it is hastily written and uses very sloppy language confusing people not familiar with TLS. There are no DHE_EXPORT ciphersuites, and the DH key exchange was never crippled due to export restrictions, it was simply not allowed in export mode. So there is no way to disable them as the article suggests. In TLS there are the DHE ciphersuites which can be used with short parameters without most clients complaining about them. What the researchers found is that there is software in the wild which uses a default set of DHE parameters which are extremely short.
Posted May 21, 2015 7:43 UTC (Thu)
by nmav (guest, #34036)
[Link]
Another crypto downgrade attack: Logjam
And to correct myself there is DHE_RSA_EXPORT used with DES40 for this attack. Never thought that these ciphersuites were even implemented, even more present on real web sites.