Researchers just discovered an online vulnerability currently called LogJam — and it's believed to be affecting 8% of the world's biggest websites. What makes it so severe, however, is that the vulnerability stems from the type of technology most websites use to keep our personal information safe as it travels throughout the Web.
LogJam is essentially a problem with encryption, which is the way computers secure data being transferred online so that third parties have no way of intercepting communications. Using mathematical code, encryption translates all data into a huge garble of numbers that only the source and recipient can decode.
Researchers found that certain hackers can attack "keys," which are the things that code and decode encrypted data. Keys are long strings of numbers that hide the content of the data being transferred. The longer the key, the more secure the code.
LogJam, however, makes it possible in certain situations for attackers to change these long, strong keys into shorter, weaker keys — making them much easier crack. And web browsers can't even tell that the keys have been tampered with.
LogJam affects more than 8% of the top-1-million websites on the internet, meaning that nearly one out of every ten websites you go to likely has this issue.
And there's even more bad news about our current encryption practices: The paper discussing this vulnerability also revealed that what are considered ‘midlevel’ encryption keys are actually easier to crack than originally thought.
This means that if a website uses these keys, well-resourced attackers can actually intercept those communications too.
The ramifications of LogJam are huge on a theoretical level, though perhaps less so in application. What makes the vulnerability seem so threatening is the idea that the current practice in place for protecting our online identities may not be as secure as we think.
"Cryptography makes certain promises about confidentiality, and this vulnerability violates that trust," Tod Beardsley from security firm Rapid7 wrote in a statement.
In that sense, LogJam is similar to the Heartbleed bug, which was thought by many to be one of the most chilling online-bug discoveries.
Still, the point of entry for LogJam is very slight. The only way to successfully capitalize on the LogJam bug is to be on the same network as the person you’re trying to intercept at the same time as them. Otherwise, you would need extensive digital resources, such as those granted to the government.
"Either they are real close by — in the same network," said Beardsley in a phone conversation with Business Insider. “Or, they are in the internet.” This latter part means state actors who "control a big chunk of whatever the backbone is."
In other words, unless the attacker is sharing the same Wi-Fi network as you, it's extremely difficult to perform this attack unless you're part of a large-scale surveillance program backed by millions of dollars.
All the same, the ramifications are still palpable. LogJam creates the sort of encryption backdoor at which state-sponsored surveillance rings would salivate.
Following this news, browsers are already scrambling to implement patches to fix the problem. Google and Mozilla both responded to The Wall Street Journal by saying their browsers would not support these weak keys within the coming weeks. Additionally, many of the servers still using these weak keys are scrambling to update their systems.