In the last 48 hours, there was a lot of buzz about yet another SSL exploit: The so-called Logjam vulnerability allows malicious users to manipulate the connection process between client and server and perform a man-in-the-middle attack by forcing both nodes to negotiate weak (and hence, easily breakable) encryption.
However, for any such attack to be successful, the targeted server must support Diffie-Hellmann Export Cyphers.
mailbox.org servers are not affected
The security risks around the export cyphers which are being exploited here have been known for quite a while. In fact, we have stopped supporting these cyphers on our servers a long time ago and provided extra safeguards in the configuration of our servers. To our current knowledge, mailbox.org is not and has not been affected in any way by the Logjam vulnerability.
1024-Bit-DH still secure but we will be updating to stronger keys with 2048 Bits soon
There are some security experts who might say 1024-Bit-Diffie-Hellmann (DH) keys are not up-to-date any more. While some of our applications are currently limited to supporting a maximum of 1024 Bit, there are also updated versions in operation that offer stronger encryption by using the newer 2048 Bit DH keys. However, keep in mind that to our current knowledge, the older keys are still sufficiently secure and there are no known incidents where a 1024 Bit DH key has ever been broken. For instance, Golem says the following on this subject: “Any attack on keys using 768 Bits is already very expensive but is something any well-equipped research institution could certainly pull off. An attack on 1024 Bit keys is theoretically possible, too, but the associated cost can be estimated to be in the region of several hundred million dollars.”
Although stronger DH keys are desirable in the medium term, we believe using keys with 1024 Bits strength is currently not a security problem. However, note that mailbox.org software upgrades are scheduled for the summer of 2015 which will then add support for stronger DH keys to many existing applications.
Our crypto-experts are on the watch, with extra help from external specialists
We at mailbox.org have 25 years of experience in running secure internet systems, and we have invested a lot of time and dedication into making sure these systems are properly configured. Our servers not supporting the exploited export cyphers mentioned above was not a coincidence but the result of our team constantly keeping an eye on known vulnerabilities, evaluating the risks involved, and adjusting our systems accordingly. For instance, there is Karsten Ness – a member of our team of administrators and seasoned expert in cryptographic methods. Karsten is constantly keeping up with developments in this area and can be frequently seen attending conferences, and giving public talks on the subject of cryptography.
We also work together with Markus Manzke and his affiliate security company 8ack.de who actively monitor and test our systems and provide advice for our team of administrators and technicians. We would like to use this opportunity to thank Markus for his long-standing and ongoing help and support, and being a great person to work with.
If you want to know more about Logjam, have a look at the web sites of Heise, Golem and 8ack.de for comprehensive reports.