The Logjam bug allows attackers to break secure connections by tricking
the browser and server to communicate using weak crypto – but why do
browsers and servers support weak crypto in the first place?
The answer is in the Bill Clinton-era export restrictions on strong
crypto. During the first crypto wars, the Clinton administration forced
tech companies to export pre-broken crypto to nations to which the US
was hostile. This created the possibility that Web servers would find
themselves communicating with browsers that only supported weak crypto,
and that Web browsers might connect to servers that were incapable of
the normal strong crypto that we rely upon to protect our sensitive
information from eavesdroppers.
As a result, browsers and servers distributed in the USA and other
western states have routinely shipped with a mode in which they appear
to be communicating securely, but are actually using a weak,
easy-to-break cryptographic protocol.
In other words, they have back doors. And attackers have figured out how to waltz through those back doors.
This is especially significant because western governments are demanding
a fresh round of back doors in broader classes of devices that are even
more tightly connected to our daily lives. UK Prime Minister David
Cameron made it an election promise, and the FBI has demanded that Congress give them the power to force tech companies to build in back doors.
But it’s not the 1990s anymore. Crypto doesn’t just protect the Web – it secures your car’s wireless interface to keep attackers out of your brakes and steering; it secures your pacemaker against wireless attacks that can kill you where you stand; it secures your phone against having the camera and mic remotely operated by “sextortionist” voyeurs who blackmail their victims into performing live sex acts on camera with the threat of disclosure of nude photos covertly snapped by their compromised networked cameras.
Once these vulnerabilites are inserted, they ripple out into devices that are placed in the field and never updated,
whose owners and users have no way to know that they were broken by
design. There is only one way to attain cybersecurity, and that’s by
making the Internet and the devices we connect to it as secure as
possible.
