6

There’s a new problem with SSL called “Logjam” appears yesterday to public.

How could it affect Ubuntu?

And how to protect Ubuntu against it?

Maythux
  • 84,289

1 Answers1

5

Update your browser when you can. Here you can check if your browser is affected: https://weakdh.org/

Google is aware of this and is working on a fix for their browsers. For firefox there is a notice on their forums. From both you can expect updates fairly quickly.

Regarding this bug:

The attack allows a man-in-the-middle to downgrade security of connections to a lower level of encryption — 512 bit — which can be read and attacked with relative ease.

If you do use encryption yourself use something better than 512 bits. If the encryption is done with a browser (https) you will need to wait for the maintainer of that browser to create a new release.

The website above also has a couple of pointers. The most important one if you are using apache:

Disable support for SSLv2 and SSLv3 and enable support for TLS, explicitly allow/disallow specific ciphers in the given order:

    SSLProtocol             all -SSLv2 -SSLv3

    SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-     GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

    SSLHonorCipherOrder     on

DH Parameters — Use the strong DH parameters generated earlier :

SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"

They have more on MS IIS, nginx and tomcat.

On security.stackexchange.com there is also a topic on this: What is Logjam and how do I prevent it? with some details about this.

Community
  • 1
Rinzwind
  • 299,756
  • I found this pretty nice in addition to your answer https://www.howtoforge.com/tutorial/how-to-protect-your-debian-and-ubuntu-server-against-the-logjam-attack/ – Maythux May 21 '15 at 07:56
  • Oh good find. The apache part is the same (probably one of the copy pasted it). The flaw has been there since the 90's so I assume we are all safe and this is just going to be another hype (otherwise we'd be hacked by now ;-) ) A fix for this would make us more safe though :D – Rinzwind May 21 '15 at 09:21