

Logjam: the latest TLS vulnerability explained - jgrahamc
https://blog.cloudflare.com/logjam-the-latest-tls-vulnerability-explained/?

======
r1ch
A bit off topic, but I find it quite disheartening that cloudflare has regular
blog posts about how great their security is and how safe you are with
cloudflare, but at the same time offers customers seriously broken SSL
options.

2 of the 3 options ("Universal SSL" and "Full SSL") are not "secure" by
today's standards. Universal SSL leaves connections to the origin unsecured
allowing for passive and active MITM attackers to intercept things. Full SSL
allows an active MITM to intercept origin connections.

Advertising these services as "SSL" is misleading and offers a false sense of
security to visitors as they will see the nice green SSL lock and think their
connection to a cloudflare-protected website is fully protected. Meanwhile
their credit card information and other personal details could be travelling
over the internet in plain text to the origin.

~~~
RpPr
Not to mention their disgraceful Tor captchas.

~~~
jamespo
Why do you think they have implemented these? Just to inconvenience you?

~~~
lucb1e
(Another Tor browser user here.) Yes, it sure seems so. Half the time I visit
Hacker News (which is behind Cloudflare) I have to fill in a captcha. I'm
logged in with a 3k rep account and I'm not trying to do any action, I'm just
trying to see the front page. That is _surely_ suspicious enough to give me a
captcha every ten minutes.

Edit: to respond to both comments at once: alright Cloudflare may not
recognize my HN cookie and account, but they do have two cf_* cookies, and I
am merely loading the homepage. No weird URL parameters, no POST data,
nothing.

~~~
d23
Dude, you're assuming that from that same exact IP address they aren't getting
a ton of other traffic that isn't spamming the hell out of them or doing
completely sketchy stuff. That's what happens when you share an IP address
with other people -- especially those who might be criminals or have other
nefarious motives for using tor.

~~~
lucb1e
And that's why IP banning is a silly thing in IPv4. In Italy there is CGNAT
widely deployed for years and Asian ISPs have big trouble obtaining IPv4
addresses as well.

Dude.

------
haytjes
Like reported earlier it is quite easy to test if your server is (still)
affected. I used
[http://security.uwsoftware.be/logjam](http://security.uwsoftware.be/logjam)
since it didn't had a cache on it. That makes it possible to fix and confirm
fixed. (IIUC most other tools had a cache. So when testing after fixing it was
just showing that it was still vulnerable).

------
theandrewbailey
I wish there were more diagrams (like the one in this article) that explains
how specific HTTPS ciphersuites work and how all keys are derived and agreed
upon, and not just the initial TLS handshake. I would like to learn why I need
to generate an RSA key for my server when it's just using AES in the end. I
want to know the steps in the black magic involved in going from an asymmetric
cipher to a symmetric one.

~~~
FiloSottile
(Author here.) Beautiful! I'm about to start a strictly technical podcast
about cryptography and attacks, and I was planning to do the first episode on
all the TLS Key Exchanges. I'm super-happy to see that there might be interest
on this in particular :)

Keep an eye on blog.filippo.io maybe, then!

~~~
sarciszewski
Well, you've piqued my interest! :D

------
baby
Great article! And shameless plug, my take on the attack which I think
complement this article well: [http://cryptologie.net/article/270/the-logjam-
attack/](http://cryptologie.net/article/270/the-logjam-attack/)

------
hartator
Loved cloudflare idea and used them for several websites driving > 2M views
per day, and it's great to see them post things about security, but from my
experiences/benchmarks:

    
    
        * Inject JS via html packets rewriting
        * High numbers of false positives even on lowest threshold
        * Issues with flash resources for some users
        * Odd price structure (Based on number of domains not traffic)
        * Adsense on error/not-a-bot pages

------
higherpurpose
Nice logo.

