Previously there was a “Browser Vulnerability” named Poodle which I believe it was the infamous Captain Sticks :-La, :-TU that provided a Workaround / Solution.
Well there’s a “New Kid In Town” named “Logjam” info here>https://weakdh.org/
I was hoping all the “Brainiacs” here will keep their ears to the ground, and provide some input as to a Patch / Solution if and when it becomes available.
As of this moment there is no patch yet for Firefox Version 38.0 but supposedly they will have one out in a “Few Days”
Microsoft Update addressed this with KB3061518 this last “Patch Tuesday”
I don’t have I.E. Installed however I did install this update. I’m not sure if it pertains to the Windows O.S. or the I.E. Browser.
Anyways the advice given is to Update Your Browser to the latest Version ASAP. Before anyone goes off on me. I am NOT going down the Blackhole of arguing the latest Chrome Vs Chromodo Version. I know that alot of folks put alot of Manhours compiling a Bizillion Lines of Code to keep this browser " Stylin & Profilin"
And I for one am Stoked & Much appreciative of their efforts.
I’m not even sure it would require a Complete Version Update to fix this since the " Poodle Fix" was a cut & paste fix in the Chromodo Properties .exe file.
Is there nothing the user can do themselves to fix it? Like, disable the affected key exchange? Or does the servers only accept just that one and if disabled then it simply won’t use HTTPS on those sites rather than use another technique?
Logjam is about weak DHE, where weak means < 1024 bit. Users cannot filter out weak DHE, you can only block DHE-suites, regardless of strength/weakness. To do that, use the command-line I provided: --cipher-suite-blacklist=0xcc15,0x009e,0x0039,0x0033
Fixed in Chrome 45 (the most recently updated Chromium-browser I could test) = fixed in Chromium 45, which means that if Comodo builds Chromodo/Dragon using Chromium 45, the vulnerability will be fixed in Chromodo/Dragon.
One slight remark protocol TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15) seems to be secure. You can verify this by checking: https://www.ssllabs.com/ssltest/viewMyClient.html, bu I’m not absolutely sure.
Besides Google and CloudFlare, whose servers support only ECDHE_RSA (CloudFlare) or ECDHE_ECDSA and ECDHE_RSA (Google) with ChaCha20, only very few servers support ChaCha20. I wonder if anyone is actually using ChaCha20 with DHE_RSA.
Also, the cipher (ChaCha20, AES-GCM etc) isn’t relevant here, only the key exchange algorithm.
For those folks that might be also using Firefox Browser, (Most Current Version 38.5)
It is still supposedly vulnerable to the " Logjam "
Until Version 39 comes out here is a link with instructions for an " Interim Fix"
Hi lyn,
Thanks for this information.
The suggested add-on basically does what I have suggested in about config, with the same conflicting results with the test sites for CID 26.
Let us hope the new CID solves this issue.
Anyway I guess we should all get back on topic (Myself included), as this is the CD and Chromodo section of the Forum.