The Wall Street Journal on LogJam, a new computer security vulnerability with broad consequences for the entire web:
Internet-security experts crafted a fix for a previously undisclosed bug in security tools used by all modern Web browsers. But deploying the fix could break the Internet for thousands of websites.
“It’s a twitchy business, and we try to be careful,” said Richard Barnes, who worked on the problem as the security lead for Mozilla Corp., maker of the Firefox Web browser. “The question is: How do you come up with a solution that gets as much security as you can without causing a lot of disruption to the Internet?”
Engineers at browser makers traded messages for two months, ultimately choosing a fix that could make more than 20,000 websites unreachable. All of the browser makers have released updates including the fix or will soon, company representatives said.
The newly discovered weakness could allow an attacker to read or alter communications that claim to be secure. It was disclosed Tuesday by an international team of computer scientists that has found several problems in technology behind prominent security tools, including the green padlock on secure websites.
It’s unclear whether hackers have exploited any of the flaws. Researchers said they were more likely to have been used by governments for surveillance than by criminals trying to steal credit-card numbers. In a draft paper published Tuesday, the researchers said the National Security Agency may have exploited one such flaw to spy on virtual private networks, or VPNs. NSA didn’t respond to a request for comment.
Never expect the NSA to comment on vulnerabilities they have known about for years but opted to keep quiet about so they can use the flaw in their arsenal of exploits leveraged daily.