Fix for encryption flaw will make some sites inaccessible
Internet browser makers have fixed a bug that compromised the security of all Web browsers and some email servers, but the fix could make up to 20,000 sites unreachable, The Wall Street Journal reported.
Companies like Apple, Google, Microsoft and Mozilla — which all support their own browsers — have been working for months to come up with a solution to the previously undisclosed flaw that could have allowed nefarious actors to monitor or tweak Web communications that appeared secure.
The so-called “Logjam” bug affects all software using “transport layer security,” or TLS, which creates the trusted connection during electronic payments or data exchanges.
Logjam is related to the recently discovered “FREAK” bug, another weakness in encryption standards that occurred because the U.S. government intentionally lowered cryptographic export standards for a period in the 1990s.
Essentially, both flaws allow cyberattackers to convince websites to accept a weaker, easy-to-crack encryption key, exposing protected data to hackers. Researchers estimated roughly 8 percent of the top 1 million websites are vulnerable to Logjam.
They also believe the vulnerability might have been attractive to governments for surveillance purposes. They found evidence the National Security Agency might have exploited the bug to spy on virtual private networks, an encrypted Internet connection.
But patching the vulnerability proved challenging to browser makers.
“It’s a twitchy business, and we try to be careful,” Richard Barnes, the security lead for Mozilla’s Firefox, told the Journal. “The question is: How do you come up with a solution that gets as much security as you can without causing a lot of disruption to the Internet?”
By raising encryption standards and altering the type of encryption key a website can accept, browser makers risked cutting off access to thousands of legitimate websites.
The compromise they struck will leave about 0.2 percent of secure websites inaccessible.
Microsoft unveiled its patch for Internet Explorer last week. Google’s fix for Chrome will be widespread within weeks and Mozilla will be updating Firefox by the end of the week.
Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed..