Protect Yourself from NSA Attacks on 1024-bit DH


Your Host
Reaction score
In a post on Wednesday, researchers Alex Halderman and Nadia Heninger presented compelling research suggesting that the NSA has developed the capability to decrypt a large number of HTTPS, SSH, and VPN connections using an attack on common implementations of the Diffie-Hellman key exchange algorithm with 1024-bit primes. Earlier in the year, they were part of a research group that published a study of the Logjam attack, which leveraged overlooked and outdated code to enforce "export-grade" (downgraded, 512-bit) parameters for Diffie-Hellman. By performing a cost analysis of the algorithm with stronger 1024-bit parameters and comparing that with what we know of the NSA "black budget" (and reading between the lines of several leaked documents about NSA interception capabilities) they concluded that it's likely NSA has been breaking 1024-bit Diffie-Hellman for some time now.

The good news is, in the time since this research was originally published, the major browser vendors (IE, Chrome, and Firefox) have removed support for 512-bit Diffie-Hellman, addressing the biggest vulnerability. However, 1024-bit Diffie-Hellman remains supported for the forseeable future despite its vulnerability to NSA surveillance. In this post, we present some practical tips to protect yourself from the surveillance machine, whether you're using a web browser, an SSH client, or VPN software.


When you browse the web and visit any website with a "secure" connection, like say your bank or any commercial site like Amazon, you will be connected with an SSL connection. The web address will show as https:\\... The article is saying that the cryptography underlying some implementations for that connection is compromised and has been for some time. Click the link and the article gives you some pretty simple steps to disable the vulnerability from your browser. It doesn't disable your ability to use SSL or secure connections, it just ensures that when you do, it's really secure and not using a compromised routine.

Fixing my FireFox browser literally took me less than 30 seconds.

When I did as the linked document instructed, I got a list showing the two ".DHE_" files, plus 10 more ".DHE_" files. I disabled the 2, but left the other 10 as is. Anyone know if I should disable them, too?
Only disable the 2 mentioned. That will disable the problematic 1024 DH routines.
Top Bottom