The discovery of an encryption flaw that puts web surfers’ data at risk could boost the opposition to law enforcement efforts to weaken data encryption protections.
The BBC reports that the flaw, dubbed LogJam, was discovered by researchers at Microsoft and a number of U.S. and French universities. It allows a cyber-attacker to significantly weaken the encrypted connection between a user and a web or email server.
An estimated 8.4% of the top one million websites could be affected as well as a slightly larger percentage of mail servers populating the IPv4 address space, the researchers said. Browser makers have developed a fix for LogJam that could make more than 20,000 websites, or 2% of secure websites, unreachable, according to The Wall Street Journal.
The LogJam attack vulnerability, the BBC said, is a legacy of export restrictions that the U.S. imposed on cryptographic tools in the 1990s. For national security reasons, the government required U.S. developers to limit the complexity of the secret encryption codes that could be generated by “international versions” of U.S.-made software.
The export rules were later relaxed, but they had the unintended consequence of making it easier for a hacker to decode encrypted traffic.
“Logjam shows us once again why it’s a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for,” J. Alex Halderman, one of the scientists behind the LogJam research, told Ars Technica. “That’s exactly what the United States did in the 1990s with crypto export restrictions, and today that backdoor is wide open, threatening the security of a large part of the Web.”
Earlier this week, technology companies including Apple and Google wrote President Barack Obama, urging him to reject any law enforcement proposal that weakens the encryption of customer data.
LogJam is closely related to a vulnerability known as Freak that also allowed attackers to downgrade HTTPS connections to 512-bit cryptography. Organizations should “use flaws like this as an excuse to give themselves a security health-check,” Ross Brewer of the security research company LogRhythm told the BBC.