Logjam computer bug could wreak havoc

(Photo: luckyraccoon, Getty Images/iStockphoto)

SAN FRANCISCO -- A computer bug named LogJam that has roots in 20-year-old U.S. government policies could make upwards of 20,000 websites unavailable as security fixes are rolled out.

The bug's existence was disclosed Tuesday in apaper published Tuesday and reported by the Wall Street Journal.

LogJam could allow attackers to see or change information on a website that looks secure. When it is fixed, some older, un-updated websites may not work.

Experts caution that there's no indication anyone has actually made use of the flaw and say it affects a small percentage of websites, as most have changed the few lines of code necessary to fix it..

The bug comes on the coattails of FREAK, a bug that was disclosed in March.

LogJam makes use of a flaw intentionally built into computers due to U.S. government regulations in the 1980s and 1990s that made exporting strong encryption software illegal, because they were considered potential weapons.

While the ban has mostly been lifted, the less-strong encryption option is still built into some computers and software.

The LogJam bug allows one computer to tell another it must use easier-to-break "export" encryption, which is relatively simple for today's computers to crack. An operation that might have taken days or weeks takes a modern computer just hours.

The bug can also trick a website into thinking it is using strong encryption when it's actually using a weak version.

"It's a good move for browsers to raise the bar on encryption key strength as computing power increases," said Branden Spikes, founder of Spikes Security, which develops technology for secure online web browsing.

Microsoft patched the LogJam vulnerability last week and patches for other popular browsers should be released soon.

Tod Beardsley, an engineer at security firm Rapid7, said the good news is that the usual bunch of Internet criminals can't really make use of LogJam.

"The only two groups really in a position to take advantage of this vulnerability are criminals on coffee shop wifi networks and state actors who already control a huge chunk of the local Internet," he said.