Logjam TLS Attack

May 20, 2015

Security researchers have discovered a new attack on the TLS protocol named Logjam. This attack allows an attacker who can modify network traffic to force vulnerable TLS connections to use known-insecure key lengths. The attack only affects servers supporting the DHE_EXPORT ciphers.

Additionally, the researchers found that commonly used values that are part of the Diffie-Hellman cryptographic key exchange used by TLS may be vulnerable to attack by very powerful entities, such as nation-states.

What We Have Done

The research provided three recommendations to secure TLS connections:

1. Disable Export Cipher Suites. ServerPilot has never enabled the DHE_EXPORT ciphers on your servers, so no action was needed.
2. Deploy Elliptic-Curve Diffie-Hellman Key Exchange (ECDHE). ServerPilot already enables ECDHE on your servers, so no action was needed.
3. Use 2048-bit Diffie-Hellman Prime Number Groups. We have updated all servers to use 2048-bit Diffie-Hellman groups.

What You Should Do

No action is required by you.

How to Verify Your Server Is Secure

The researchers provided a tool for verifying your server is secure against Logjam. You can enter your server's IP address, and the tool will confirm your server is not vulnerable.

Don't hesitate to contact us if you have any questions.