After the discovery of vulnerabilities associated in one way or another with the SSL/TLS protocol in 2014 and the first trimester of 2015 (Heartbleed, Poodle, WinShock and Freak), in the middle of last May "Logjam", was disclosed, a new vulnerability that affects the security of Internet communications.
Warnings published by the Security and Industry CERT informed at the time of the discovery of this security failure and provided some possible mitigation measures:
- Logjam, another SSL vulnerability
- Vulnerabilidad en la negociación de claves DH en TLS
- Múltiples vulnerabilidades en OpenSSL
Logjam ( CVE-2015-4000) refers to a man-in-the-middle attack that allows an attacker to downgrade the strength of the encryption keys used in the Diffie-Hellman algorithm used by TLS, in such a way that communications can be decrypted with relative ease using modern computers.
The risk is increased due to the fact that the vast majority of systems use the same prime numbers to carry out the calculations for the key exchange, so that if the attack is successful against the most commonly used ones, there is practically immediate access to a large number of servers.
In this way, if the Diffie-Hellman algorithm with 512-bit keys is used to encrypt communications, they can be decrypted by any attacker. Furthermore, the investigators who have reported this vulnerability estimate that an academic team with access to university hardware could decrypt 712-bit keys, and an attacker with access to more resources (such as a nation) would be able to break 1024-bit encryption keys in a reasonable period of time.
Although by nature Logjam is an attack similar to Freak, in this case the problem is due to a failure in the TLS protocol itself and not in specific implementations of the protocol, making practically all systems potentially vulnerable until patched.
Additionally, this new vulnerability has even caused the OpenSSL Project, the entity responsible for one of the currently most commonly-used implementations, to begin to revise the default options with the aim of making use of more resistant encryption.
At the client level, the majority of vendors of web browsers have provided updates that resolve this vulnerability, but in order to find out the potential impact on Spanish servers, it is of interest to know the level of exposure to this vulnerability of web pages belonging to .es domains, as well as to update data about other vulnerabilities associated with SSL. The results of this analysis are as follows.
Exposure of websites belonging to Spanish domains
After adding Logjam and other security checks related to the verification processes for SSL vulnerabilities, the statistical analysis carried out on registered .es domains reveals the following comprehensive information:
- Percentage of Spanish websites by SSL/TLS vulnerabilities. Source: INCIBE -
Among the websites that use SSL, a high rate of affectation by one of these aforementioned vulnerabilities has been observed (more than 75%), fundamentally due to the appearance of Logjam.
Specifically, by analysing the number of affected websites that use SSL to each one of these vulnerabilities, it becomes clear that a considerably high percentage have been affected by Logjam, despite the fact that only two months have passed since its emergence, while the percentage affected by the remaining vulnerabilities is lower than 5%:
- Percentage of websites with SSL affected by each vulnerability-. Source: INCIBE-
In addition to knowing current values, it is also worthy of note to observe the evolution of the other vulnerabilities previously analysed. Considering the entirety of the websites analysed (including those that do not use SSL and therefore are not affected by these vulnerabilities), the overall percentage of affected websites is as follows:
- Evolution of the percentage of Spanish websites affected by each vulnerability -
In addition to the high percentage of Logjam mentioned above, in regards to the evolution of the other vulnerabilities analysed, it can be observed that the value remains stable, with a slight increase in the case of Poodle and Freak.
After the appearance of Logjam, it can be said in global terms that the percentage of affected websites in Spain for these vulnerabilities is average (around 23%).
In general, the percentage of websites affected by already-known vulnerabilities has remained more or less stable, but the percentage for Logjam is considerably high for websites using SSL, despite the fact that patches have already been released in various implementations.
As always, the CERT of Security and Industry operated by INCIBE suggests that products be kept updated and that best practices be applied to system configurations. This is recommended in order to avoid being affected by these vulnerabilities as well as others that may emerge in the future.