Logjam Vulnerabilty Patch or Update??

[Murphy13]

ALOHA Chromodo Dudes

Previously there was a "Browser Vulnerability" named Poodle which I believe it was the infamous Captain Sticks  ,      that provided a Workaround / Solution.

Well there's a "New Kid In Town" named "Logjam" info here>https://weakdh.org/

According to the test site this browser is currently rated Vulnerable, info here> https://www.ssllabs.com/ssltest/viewMyClient.html

 I was hoping all the "Brainiacs" here will keep their ears to the ground, and provide some input as to a Patch / Solution if and when it becomes available.

As of this moment there is no patch yet for Firefox Version 38.0 but supposedly they will have one out in a  "Few Days"

Microsoft Update addressed this with KB3061518 this last "Patch Tuesday"
I don't have I.E. Installed  however I did install this update. I'm not sure if it pertains to the Windows O.S. or the I.E. Browser.

Anyways the advice given is to Update Your Browser to the latest Version ASAP. Before anyone goes off on me. I am NOT going down the Blackhole of arguing the latest Chrome Vs Chromodo Version. I know that alot of folks put alot of Manhours compiling a Bizillion Lines of Code to keep this browser " Stylin & Profilin"
And I for one am Stoked & Much appreciative of their efforts.

I'm not even sure it would require a Complete Version Update to fix this since the " Poodle Fix" was a cut & paste fix in the Chromodo Properties .exe file.

Hopefully this will be just as simple.

MAHALO & ALOHA
Murph 

[captainsticks]

Hi Murphy13,
I haven't found a solution as simple as the 'POODLE', but if I do I will surely post it.

Thanks.

[JoWa]

It has been fixed in Chrome 45 (see image). I hope stable and beta will be patched before 45 reaches them, and Chromodo/Dragon.

Here is the relevant change on systems where BoringSSL is used: https://boringssl.googlesource.com/boringssl/+/a7997f12be358e58aeb2345bb8b88a9d53240024
Here is the relevant change on systems where NSS is used: https://chromium.googlesource.com/chromium/src/+/1da1e686a87ad9f95d26786d2b53a1a4c280189f

[attachment deleted by admin]

[Sanya IV Litvyak]

Is there nothing the user can do themselves to fix it? Like, disable the affected key exchange? Or does the servers only accept just that one and if disabled then it simply won't use HTTPS on those sites rather than use another technique?

[JoWa]

You can disable all DHE-ciphersuites (leave those using ECHDE enabled):

TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)

Edit: CL: --cipher-suite-blacklist=0xcc15,0x009e,0x0039,0x0033

[Murphy13]

" You can disable all DHE-ciphersuites (leave those using ECHDE enabled):"

TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)


Gee Wilikers PERfesser
Any chance you might break it down for those of us " Non Rocket Surgeons"

And in reference to it "BEING FIXED IN CHROME 45"
I guess that would somehow apply if I were actually USING CHROME

 Mahalo no kou ho`okipa 

[JoWa]

Oh, I thought you were a rocket-surgeon.

Logjam is about weak DHE, where weak means < 1024 bit. Users cannot filter out weak DHE, you can only block DHE-suites, regardless of strength/weakness. To do that, use the command-line I provided: --cipher-suite-blacklist=0xcc15,0x009e,0x0039,0x0033

Fixed in Chrome 45 (the most recently updated Chromium-browser I could test) = fixed in Chromium 45, which means that if Comodo builds Chromodo/Dragon using Chromium 45, the vulnerability will be fixed in Chromodo/Dragon.

[captainsticks]

Edit: CL: --cipher-suite-blacklist=0xcc15,0x009e,0x0039,0x0033

Thanks JoWa.

Kind regards.

[JoWa]

More about Logjam.
EFF: Logjam, part 1: Why the Internet is Broken Again (an explainer)
EFF: Logjam, part 2: Did the NSA Know the Internet was Broken?

[lyn]

opera 12.17 protects! Shame they abandoned it.

[wojrom]

" You can disable all DHE-ciphersuites (leave those using ECHDE enabled):"

TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)

One slight remark protocol TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15) seems to be secure. You can verify this by checking:
https://www.ssllabs.com/ssltest/viewMyClient.html, bu I'm not absolutely sure.

Regards Wojtek

[JoWa]

Hi Wojtek.

The testsite doesn’t support ChaCha20. See https://www.ssllabs.com/ssltest/analyze.html?d=ssllabs.com%2Fssltest%2FviewMyClient.html

Besides Google and CloudFlare, whose servers support only ECDHE_RSA (CloudFlare) or ECDHE_ECDSA and ECDHE_RSA (Google) with ChaCha20, only very few servers support ChaCha20. I wonder if anyone is actually using ChaCha20 with DHE_RSA.

Also, the cipher (ChaCha20, AES-GCM etc) isn’t relevant here, only the key exchange algorithm.

[JoWa]

The Chromium Projects: ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

[Murphy13]

ALOHA Chromodo Browser Dudes

Just an " Oh by the way"

For those folks that might be also using Firefox Browser, (Most Current Version 38.5)
It is still supposedly vulnerable to the " Logjam "
Until Version 39 comes out here is a link with instructions for an " Interim Fix"

http://techdows.com/2015/05/how-to-make-firefox-browser-safe-against-logjam-attack.html

ALOHA
Murph 

[captainsticks]

ALOHA Chromodo Browser Dudes

Just an " Oh by the way"

For those folks that might be also using Firefox Browser, (Most Current Version 38.5)
It is still supposedly vulnerable to the " Logjam "
Until Version 39 comes out here is a link with instructions for an " Interim Fix"

http://techdows.com/2015/05/how-to-make-firefox-browser-safe-against-logjam-attack.html

ALOHA
Murph 

Hi Murphy13,
The affects of these config changes appear to have conflicting results, for CID at least.
For the Logjam vulnerability with most Firefox based browsers.

Thanks.