Ask / Submit
19

[question] is sailfish vulnerable to logjam? [not relevant]

asked 2015-05-20 18:31:18 +0200

misc11 gravatar image

hi,

theres a new attack on https crypto related to the old freak attack called logjam. is sailfish vulnerable to that? if yes, when can we get a fix?

edit retag flag offensive reopen delete

The question has been closed for the following reason "question is not relevant or outdated" by misc11
close date 2016-05-09 21:42:04.567994

Comments

An interesting thought: http://m.slashdot.org/story/276253

objectifnul ( 2015-05-21 10:36:36 +0200 )edit

3 Answers

Sort by » oldest newest most voted
6

answered 2015-05-20 19:09:46 +0200

max gravatar image

Checking the website https://weakdh.org/ the browser needs an update.

edit flag offensive delete publish link more

Comments

1

This issue has been fixed in 1.1.9.x.

tigeli ( 2015-09-10 23:39:51 +0200 )edit
5

answered 2015-05-20 21:57:46 +0200

misc11 gravatar image

updated 2015-05-21 08:47:42 +0200

until there is an official patch, heres what you can do: open new tab -> enter "about:config" -> swipe left to accept the message "ok" -> search for ".dhe_"

then unselect the following 2 entries:

  • security.ssl3.dhe_rsa_aes_128_sha
  • security.ssl3.dhe_rsa_aes_256_sha

then see on the check site for logjam if the message is blue saying "Good News!"

please jolla act fast! this is a big thing! and to everybody running a server out there please check your diffie-hellman-parameters, apparently half of the internet is using the same one which mean crack one have access almost everywhere...

edit: as @Yo pointed out: this only fixes the problem in the browser

edit flag offensive delete publish link more

Comments

This only fixes browser connections. All other connections from e. g. apps, mail, xmpp etc. will still be vulnerable (if they are vulnerable at all).

BTW: This is not such a BIG thing as you say. From what I understand it it weakens the encryption significantly so if you have enough (a LOT) computing capacity it might be in range of being broken. It's still not easy and has to be done for each new encryption session.

Yo ( 2015-05-20 23:38:29 +0200 )edit

@Yo absolutely correct! but better than nothing. i should have mentioned though.....

misc11 ( 2015-05-20 23:43:02 +0200 )edit

@Yo also true.... but apparently a lot of admins have used the same parameters to set up DH which is the first step in breaking it.... there are signs that a big three letter organisation has done exactly that. and by breaking that one key they have access to a lot of sites out there:

"We carried out this computation against the most common 512-bit prime used for TLS and demonstrate that the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHE_EXPORT. We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. […] A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break."

misc11 ( 2015-05-20 23:48:09 +0200 )edit
2

answered 2015-05-21 08:53:38 +0200

chemist gravatar image

This is actually a server side issue, I'd rather have my clients support anything than fall back to non-SSL/TLS! Better check if the services you use are up to speed! Question on SFOS side is does it support the latest state of the art suits?

edit flag offensive delete publish link more

Comments

2

of course this mostly a server-side issue, but we can not really do anything there.... but, i dont want my client to support unsecure algorithms like rc4 for example, because then to me it feels encrypted when its not really. while falling back on non-SSL/TLS i immediatly realize it! also for mail other ports are used then which are not configured... to the connection just fails. also im not sure sure if they are able to make a downgrade attack in a way that you dont use encryption at all... (?)

anyway: supporting unsecure algorithms gives you a false feeling of security

misc11 ( 2015-05-21 09:03:34 +0200 )edit
1

You do recognize shit... or do you monitor your connections? If you are at that level, you do not use bad services at all so why bother what your client does? And no you cannot make it fallback to non-encrypted, you will need to setup your account that way.

chemist ( 2015-05-21 09:14:13 +0200 )edit

Thanks for sharing this is really nice April 2018 blank calendarApril 2018 calendar with holidays

mnojverma ( 2018-03-09 10:49:34 +0200 )edit

Question tools

Follow
6 followers

Stats

Asked: 2015-05-20 18:31:18 +0200

Seen: 887 times

Last updated: May 21 '15