Saying the Internet has grown “a lot” since its inventors created it some 20 years ago would be a gross understatement. Tim Berners-Lee built the first web page on August 6, 1991, and dedicated it to providing info on the World Wide Web project. Today, there are 4.49 billion web pages in the world today, many of which hold and protect vital information.
Now, like most things that have been around for more than 20 years, some of the Internet’s skeletons are beginning to come out of its closet and cause problems. One of these skeletons is a Clinton-era law that’s exposing private online messages to hackers.
Computer researchers recently announced that the discovery of “LogJam,” a massive weakness in Internet software that allows hackers to spy on people’s online communications. LogJam affects thousands of websites, and every browser.
Basically, it’s not safe to log into email, bank accounts, or even Facebook on public WiFi or a virtual private network (VPN).
The issue began back in the 1990s. The Clinton administration wanted to control who had permission to encrypt data, a method of translating information into a secret code to keep it safe and private as it travels across the web to its destination, where it gets unencrypted. The intention was to keep encryption tools out of the hands of foreign governments, and in U.S. law enforcement’s. Essentially, it considered strong encryption software a potential weapon, and restricted its exportation. Consequently, American companies had to sell two versions: weak and strong.
Although the ban has more or less been lifted, the weak encryption software from decades ago is still buried in the code of computers and software everywhere.
It’s this weak encryption coding that LogJam takes advantage of. The bug allows one computer to tell another to use the easier-to-break export encryptions, thus allowing hackers to break into a system in a matter of hours. The bug can also fool a website into thinking it’s using strong encryption, when it’s actually using the weaker one.
Although it doesn’t affect every website, it makes 8% of the top one million websites vulnerable. Additionally, every major web browser — Chrome, Android, Firefox, Internet Explorer, and Safari — have the bug.
Thankfully, the bug isn’t quite as scary as it sounds. These browsers need only to be updated, and the websites patched. Plus, the usual Internet criminals can’t make much use of LogJam.
According to Tod Beardsley, an engineer at security firm Rapid7, “The only two groups really in a position to take advantage of this vulnerability are criminals on coffee shop wifi networks and state actors who already control a huge chunk of the local Internet.”