Jump to content
Login new information ×
Login new information

How to Check Your Browser for the Logjam Vulnerability

Batu69

By Batu69
in Security & Privacy Center

Recommended Posts

Batu69

Batu69

Posted
Posted

Logjam-2-350x200.png

​A new vulnerability known as “Logjam” which allows the exploitation of secure TLS connections has been uncovered and it affects most popular browsers. Here’s how Weakdh.org describes it:


​The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers.

​There are currently two sites you can visit to automatically check your browser for the Logjam vulnerability:

  • https://weakdh.org/ – if you visit this site and receive the following message, then your browser is vulnerable:

lagjam-report-1-640x105.png

https://www.ssllabs.com/ssltest/viewMyClient.html – similarly, this site will display the following message if your browser is vulnerable:

logjam-report-2-640x155.png

​According to reports, the Logjam vulnerability won’t be patched in Firefox until the release of version 39. However, a temporary fix has been published on the Mozilla forum for Firefox users which involves accessing “about:config” and disabling the ssl3 protocol:

  1. In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.​
  2. In the search box above the list, type or paste ssl3 and pause while the list is filtered
  3. Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
  4. Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)
  5. Restart Firefox

I applied both changes myself and visited the two aforementioned sites again, both reported a clean bill of health.

For any browsers that are being reported as vulnerable, I strongly suggest users keep a close eye out for updates and apply same as soon as they become available.

More information here: The Logjam (and Another) Vulnerability against Diffie-Hellman Key Exchange – (security expert Bruce Schneier reports that the vulnerability may have been exploited by the NSA)

http://www.davescomputertips.com/latest-security-vulnerability-logjam-affects-most-browsers/

Link to comment
Share on other sites
  • Replies 7
  • Views 2.7k
  • Created
  • Last Reply
knowledge-Spammer

knowledge-Spammer

Posted
Posted

security expert Bruce Schneier reports that the vulnerability may have been exploited by the NSA)

​ :o

Link to comment
Share on other sites
steven36

steven36

Posted
Posted

security expert Bruce Schneier reports that the vulnerability may have been exploited by the NSA)

​ :o

It would take NSA or some other big outfit to preform such on a mass scale . And there's far more easy ways for them to do it . Only way they would use this exploit if there was no other easier way . Its been around since 95 so if they was going get you with it . Its already too late. Also you know why browsers didn't patch this fast its not big deal like other SSL bugs were . You just about have to be in a cyber cafe with a hacker on the same network and you have be there target . Its more of a threat to websites than end users .

Even Edward Snowden said :

All I can say is that I share their suspicions, but I simply do not know the answer one way or another. I don't want to mislead anybody by speculating.

​But tell there is hardcore proof its no more than a conspiracy theory. Like the one about Jim Morrison faked his own death . ;)

Link to comment
Share on other sites
uffbros

uffbros

Posted
Posted

I have the latest FireFox and it fails..It says to update..Update to what??????

Link to comment
Share on other sites
Batu69

Batu69

Posted
  • Author
Posted

I have the latest FireFox and it fails..It says to update..Update to what??????

Update this

  1. In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.​
  2. In the search box above the list, type or paste ssl3 and pause while the list is filtered
  3. Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
  4. Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)
  5. Restart Firefox

temporary fix in Firefox until the release of version 39.

Link to comment
Share on other sites
DLord

DLord

Posted
Posted

I have the latest FireFox and it fails..It says to update..Update to what??????

Update this

  1. In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.​
  2. In the search box above the list, type or paste ssl3 and pause while the list is filtered
  3. Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
  4. Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)
  5. Restart Firefox

temporary fix in Firefox until the release of version 39.

I have given up on Firefox and completely removed it from one of my systems. Either this vulnerability is not serious (which to me every vulnerability is serious) or that Mozilla simply doesn't care for the users' security like it should. I get this feeling that Firefox isn't being supported/maintained like it used to.

Link to comment
Share on other sites
snf

snf

Posted
Posted

Find this on 

https://ssllocker.com/ChromeLocker.html

or

work chrome chromium.

create shortcut on desktop edit properies in target after all one space

paste this

--ssl-version-min=tls1.2 --use-spdy=off --use-system-ssl --ssl-version-min=tls1.0 --cipher-suite-blacklist=0x0005,0x0004,0xc007,0xc011 --cipher-suite-blacklist=0x000a,0x002f,0x009c,0x0005,0x0004,0xc007,0xc011,0xcc15,0x009e,0x0033,0x0039 --disable-java --disable-logging --dns-prefetch-disable --disable-voice-input --disable-sync --disable-sync-backup --disable-sync-app-list --disable-sync-rollback --disable-sync-rollback --disable-bundled-ppapi-flash --disable-breakpad --disable-async-dns --disable-background-networking --disable-credit-card-scan --disable-drop-sync-credential --disable-preconnect --disable-suggestions-service --disable-save-password-bubble

For me working said if working for you

Link to comment
Share on other sites
clubhouse

clubhouse

Posted
Posted

I have the latest FireFox and it fails..It says to update..Update to what??????

Update this

  1. In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.​
  2. In the search box above the list, type or paste ssl3 and pause while the list is filtered
  3. Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
  4. Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)
  5. Restart Firefox

temporary fix in Firefox until the release of version 39.

Thanks this worked on for me :)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...