[question] is sailfish vulnerable to logjam? [not relevant]
hi,
theres a new attack on https crypto related to the old freak attack called logjam. is sailfish vulnerable to that? if yes, when can we get a fix?
We have moved to a new Sailfish OS Forum. Please start new discussions there.
hi,
theres a new attack on https crypto related to the old freak attack called logjam. is sailfish vulnerable to that? if yes, when can we get a fix?
Checking the website https://weakdh.org/ the browser needs an update.
until there is an official patch, heres what you can do: open new tab -> enter "about:config" -> swipe left to accept the message "ok" -> search for ".dhe_"
then unselect the following 2 entries:
then see on the check site for logjam if the message is blue saying "Good News!"
please jolla act fast! this is a big thing! and to everybody running a server out there please check your diffie-hellman-parameters, apparently half of the internet is using the same one which mean crack one have access almost everywhere...
edit: as @Yo pointed out: this only fixes the problem in the browser
This only fixes browser connections. All other connections from e. g. apps, mail, xmpp etc. will still be vulnerable (if they are vulnerable at all).
BTW: This is not such a BIG thing as you say. From what I understand it it weakens the encryption significantly so if you have enough (a LOT) computing capacity it might be in range of being broken. It's still not easy and has to be done for each new encryption session.
Yo ( 2015-05-20 23:38:29 +0200 )edit@Yo also true.... but apparently a lot of admins have used the same parameters to set up DH which is the first step in breaking it.... there are signs that a big three letter organisation has done exactly that. and by breaking that one key they have access to a lot of sites out there:
"We carried out this computation against the most common 512-bit prime used for TLS and demonstrate that the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHE_EXPORT. We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. […] A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break."
misc11 ( 2015-05-20 23:48:09 +0200 )editThis is actually a server side issue, I'd rather have my clients support anything than fall back to non-SSL/TLS! Better check if the services you use are up to speed! Question on SFOS side is does it support the latest state of the art suits?
of course this mostly a server-side issue, but we can not really do anything there.... but, i dont want my client to support unsecure algorithms like rc4 for example, because then to me it feels encrypted when its not really. while falling back on non-SSL/TLS i immediatly realize it! also for mail other ports are used then which are not configured... to the connection just fails. also im not sure sure if they are able to make a downgrade attack in a way that you dont use encryption at all... (?)
anyway: supporting unsecure algorithms gives you a false feeling of security
misc11 ( 2015-05-21 09:03:34 +0200 )editThanks for sharing this is really nice April 2018 blank calendarApril 2018 calendar with holidays
mnojverma ( 2018-03-09 10:49:34 +0200 )editThis thread is public, all members of Together.Jolla.Com can read this page.
Asked: 2015-05-20 18:31:18 +0200
Seen: 990 times
Last updated: May 21 '15
What is the best maps/navigation application to use on Jolla? [answered]
Word prediction should be always turned off when entering passwords in Android apps [released]
Password manager for Sailfish [answered]
Android VKB saves and suggests passwords in plaintext
[Feature-request] Track & protect my Jolla
Cloud backup should be encrypted
An interesting thought: http://m.slashdot.org/story/276253
objectifnul ( 2015-05-21 10:36:36 +0200 )edit