The Logjam disclosure went public yesterday and the paper is the most consequential cryptographic-protocol read of the year so far (weakdh.org, Adrian et al, "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice"). It does for Diffie-Hellman key exchange what FREAK in March did for RSA: it shows that an export-era weakness in the protocol — export-grade Diffie-Hellman groups — has been retained in client-server negotiation, can be forced by an active attacker via downgrade, and yields a feasible cryptographic break.
The CVE is CVE-2015-4000 (cve.mitre.org/CVE-2015-4000). The attack converts a server's offered Diffie-Hellman key exchange into a 512-bit DH_EXPORT exchange that the modern attacker can break with a number-field-sieve precomputation against the prime, followed by per-session discrete-log work that takes minutes. The headline finding is that of the top million HTTPS-enabled domains, around eight per cent are still vulnerable to the export downgrade. Browser vendors are responding — Chrome 45 will reject DH groups under 1024 bits, Firefox is following — and the patches for OpenSSL, Apache and IIS are in flight.
The part of the paper that has me thinking is the second half. The same number-field-sieve precomputation, applied to a 1024-bit prime, is harder by many orders of magnitude — but the authors estimate it is feasible for a state-level actor with hundreds of millions of dollars of compute budget per prime. And the structure of TLS deployment is such that the same handful of 1024-bit DH primes are reused across most of the internet — the OpenSSL default, the Apache mod_ssl default, the Java default. Precompute against one of those primes and you have eavesdrop capability against a substantial fraction of the world's TLS traffic for the lifetime of those primes.
The paper notes that the operational shape of NSA's reported decryption capabilities, as described in the leaked documents from 2013-14 (Der Spiegel reporting on BULLRUN), fits this attack. The authors are careful: they do not claim this is the mechanism. They observe that it would explain what is publicly described, and that the 1024-bit DH attack against widely-shared primes is the only currently-known cryptographic mechanism that produces those operational outputs at that scale.
That is a serious paragraph. It is the first plausible technical hypothesis I have read for what the BULLRUN documents actually describe.
For my work this week, the operational consequences are immediate. Test every customer TLS endpoint for DHE_EXPORT support and disable it. Increase server-side DH parameters to 2048 bits — generated per-server, not the OpenSSL default — using the openssl dhparam workflow described in the paper's deployment guide. Verify the change at the ssllabs.com/ssltest endpoint. Push the configuration through to load balancers, reverse proxies and TLS-terminating intermediaries; in our experience following FREAK, the propagation is incomplete by default.
For vCISO clients there is a longer conversation. The Towry trading-platform refresh I mentioned in January is now in vendor scoring; the scoring sheet picked up a "no export-grade ciphersuites" line after FREAK, and is picking up a "DH parameters generated per-server, 2048 bits or stronger" line this week. Browne Jacobson's TLS sweep produced two findings this morning — both vendor-managed, both being remediated. Northcott's estate is unaffected.
The thing FREAK and Logjam share is the time-distance between the policy decision and the cryptographic consequence. Export controls in 1996. Vulnerability disclosure in 2015. Nineteen years of cryptographic debt, accumulating quietly inside RFC text and software defaults that nobody had cause to revisit until they did. There is a class of decisions about cryptographic protocol surface that have to be made with much longer event horizons than the people making them tend to have available, and the consequence of getting them wrong is paid by the operations teams two decades later.
I want to write the long piece about export-control cryptographic debt that I keep promising myself. I will not, today, because there are configurations to change. But it is the right essay to write.