Author Topic: Logjam Vulnerabilty Patch or Update??  (Read 4522 times)

Offline Murphy13

  • Newbie
  • *
  • Posts: 19
Logjam Vulnerabilty Patch or Update??
« on: May 23, 2015, 05:32:52 AM »
ALOHA Chromodo Dudes

Previously there was a "Browser Vulnerability" named Poodle which I believe it was the infamous Captain Sticks  :-La:-TU    that provided a Workaround / Solution.

Well there's a "New Kid In Town" named "Logjam" info here>https://weakdh.org/

According to the test site this browser is currently rated Vulnerable, info here> https://www.ssllabs.com/ssltest/viewMyClient.html

 I was hoping all the "Brainiacs" here will keep their ears to the ground, and provide some input as to a Patch / Solution if and when it becomes available.

As of this moment there is no patch yet for Firefox Version 38.0 but supposedly they will have one out in a  "Few Days"

Microsoft Update addressed this with KB3061518 this last "Patch Tuesday"
I don't have I.E. Installed  however I did install this update. I'm not sure if it pertains to the Windows O.S. or the I.E. Browser.

Anyways the advice given is to Update Your Browser to the latest Version ASAP. Before anyone goes off on me. I am NOT going down the Blackhole of arguing the latest Chrome Vs Chromodo Version. I know that alot of folks put alot of Manhours compiling a Bizillion Lines of Code to keep this browser " Stylin & Profilin"
And I for one am Stoked & Much appreciative of their efforts.

I'm not even sure it would require a Complete Version Update to fix this since the " Poodle Fix" was a cut & paste fix in the Chromodo Properties .exe file.

Hopefully this will be just as simple.

MAHALO & ALOHA
Murph  8)
I do not like this Uncle Sam,
I do not like when Congress steals, I do not like their secret deals.
I do not like these dirty crooks, or how they lie and cook the books.
I do not like the N.S.A.'s smug replies, when I complain about their lies.
-- props to Dr.Suess & That Snowden Dude

Offline captainsticks

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11197
    • Comodo Help
Re: Logjam Vulnerabilty Patch or Update??
« Reply #1 on: May 23, 2015, 08:15:49 AM »
Hi Murphy13,
I haven't found a solution as simple as the 'POODLE', but if I do I will surely post it. :)

Thanks.

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5967
  • I believe in doubt.
    • Evolutionary history of life
Re: Logjam Vulnerabilty Patch or Update??
« Reply #2 on: May 23, 2015, 11:22:02 AM »
It has been fixed in Chrome 45 (see image). I hope stable and beta will be patched before 45 reaches them, and Chromodo/Dragon.

Here is the relevant change on systems where BoringSSL is used: https://boringssl.googlesource.com/boringssl/+/a7997f12be358e58aeb2345bb8b88a9d53240024
Here is the relevant change on systems where NSS is used: https://chromium.googlesource.com/chromium/src/+/1da1e686a87ad9f95d26786d2b53a1a4c280189f

[attachment deleted by admin]
« Last Edit: May 23, 2015, 11:27:01 AM by JoWa »
Ubuntu 19.10 | Firefox 72β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4214
  • Lurking
Re: Logjam Vulnerabilty Patch or Update??
« Reply #3 on: May 23, 2015, 02:15:32 PM »
Is there nothing the user can do themselves to fix it? Like, disable the affected key exchange? Or does the servers only accept just that one and if disabled then it simply won't use HTTPS on those sites rather than use another technique?
I support privacy and freedom online - eff.org

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5967
  • I believe in doubt.
    • Evolutionary history of life
Re: Logjam Vulnerabilty Patch or Update??
« Reply #4 on: May 23, 2015, 03:02:49 PM »
You can disable all DHE-ciphersuites (leave those using ECHDE enabled):

TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)

Edit: CL: --cipher-suite-blacklist=0xcc15,0x009e,0x0039,0x0033
« Last Edit: May 23, 2015, 03:57:58 PM by JoWa »
Ubuntu 19.10 | Firefox 72β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline Murphy13

  • Newbie
  • *
  • Posts: 19
Re: Logjam Vulnerabilty Patch or Update??
« Reply #5 on: May 25, 2015, 10:23:38 AM »
" You can disable all DHE-ciphersuites (leave those using ECHDE enabled):" ???

TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)


Gee Wilikers PERfesser
Any chance you might break it down for those of us " Non Rocket Surgeons"

And in reference to it "BEING FIXED IN CHROME 45"
I guess that would somehow apply if I were actually USING CHROME

 Mahalo no kou ho`okipa  8)
I do not like this Uncle Sam,
I do not like when Congress steals, I do not like their secret deals.
I do not like these dirty crooks, or how they lie and cook the books.
I do not like the N.S.A.'s smug replies, when I complain about their lies.
-- props to Dr.Suess & That Snowden Dude

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5967
  • I believe in doubt.
    • Evolutionary history of life
Re: Logjam Vulnerabilty Patch or Update??
« Reply #6 on: May 25, 2015, 10:48:28 AM »
Oh, I thought you were a rocket-surgeon. :a0

Logjam is about weak DHE, where weak means < 1024 bit. Users cannot filter out weak DHE, you can only block DHE-suites, regardless of strength/weakness. To do that, use the command-line I provided: --cipher-suite-blacklist=0xcc15,0x009e,0x0039,0x0033

Fixed in Chrome 45 (the most recently updated Chromium-browser I could test) = fixed in Chromium 45, which means that if Comodo builds Chromodo/Dragon using Chromium 45, the vulnerability will be fixed in Chromodo/Dragon.
Ubuntu 19.10 | Firefox 72β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline captainsticks

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11197
    • Comodo Help
Re: Logjam Vulnerabilty Patch or Update??
« Reply #7 on: May 25, 2015, 05:18:03 PM »
Edit: CL: --cipher-suite-blacklist=0xcc15,0x009e,0x0039,0x0033
Thanks JoWa. :-TU

Kind regards.

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5967
  • I believe in doubt.
    • Evolutionary history of life
Ubuntu 19.10 | Firefox 72β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline lyn

  • Comodo's Hero
  • *****
  • Posts: 301
Re: Logjam Vulnerabilty Patch or Update??
« Reply #9 on: May 27, 2015, 01:32:36 PM »
opera 12.17 protects! Shame they abandoned it.

Offline wojrom

  • Newbie
  • *
  • Posts: 1
Re: Logjam Vulnerabilty Patch or Update??
« Reply #10 on: May 28, 2015, 02:39:52 AM »
" You can disable all DHE-ciphersuites (leave those using ECHDE enabled):" ???

TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)


One slight remark protocol TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15) seems to be secure. You can verify this by checking:
https://www.ssllabs.com/ssltest/viewMyClient.html, bu I'm not absolutely sure.

Regards Wojtek


Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5967
  • I believe in doubt.
    • Evolutionary history of life
Re: Logjam Vulnerabilty Patch or Update??
« Reply #11 on: May 28, 2015, 02:54:12 AM »
Hi Wojtek.

The testsite doesn’t support ChaCha20. See https://www.ssllabs.com/ssltest/analyze.html?d=ssllabs.com%2Fssltest%2FviewMyClient.html

Besides Google and CloudFlare, whose servers support only ECDHE_RSA (CloudFlare) or ECDHE_ECDSA and ECDHE_RSA (Google) with ChaCha20, only very few servers support ChaCha20. I wonder if anyone is actually using ChaCha20 with DHE_RSA.

Also, the cipher (ChaCha20, AES-GCM etc) isn’t relevant here, only the key exchange algorithm.
Ubuntu 19.10 | Firefox 72β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5967
  • I believe in doubt.
    • Evolutionary history of life
Re: Logjam Vulnerabilty Patch or Update??
« Reply #12 on: May 28, 2015, 12:09:28 PM »
Ubuntu 19.10 | Firefox 72β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline Murphy13

  • Newbie
  • *
  • Posts: 19
Re: Logjam Vulnerabilty Patch or Update??
« Reply #13 on: June 03, 2015, 12:10:52 AM »
ALOHA Chromodo Browser Dudes

Just an " Oh by the way"

For those folks that might be also using Firefox Browser, (Most Current Version 38.5)
It is still supposedly vulnerable to the " Logjam "
Until Version 39 comes out here is a link with instructions for an " Interim Fix"

http://techdows.com/2015/05/how-to-make-firefox-browser-safe-against-logjam-attack.html

ALOHA
Murph  8)
I do not like this Uncle Sam,
I do not like when Congress steals, I do not like their secret deals.
I do not like these dirty crooks, or how they lie and cook the books.
I do not like the N.S.A.'s smug replies, when I complain about their lies.
-- props to Dr.Suess & That Snowden Dude

Offline captainsticks

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11197
    • Comodo Help
Re: Logjam Vulnerabilty Patch or Update??
« Reply #14 on: June 03, 2015, 06:27:54 AM »
ALOHA Chromodo Browser Dudes

Just an " Oh by the way"

For those folks that might be also using Firefox Browser, (Most Current Version 38.5)
It is still supposedly vulnerable to the " Logjam "
Until Version 39 comes out here is a link with instructions for an " Interim Fix"

http://techdows.com/2015/05/how-to-make-firefox-browser-safe-against-logjam-attack.html

ALOHA
Murph  8)
Hi Murphy13,
The affects of these config changes appear to have conflicting results, for CID at least.
For the Logjam vulnerability with most Firefox based browsers.

Thanks.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek