If you are not living under a rock you could hardly have missed the discussion regarding The Logjam Attack It has been all over the news lately.

The Logjam attack is what is called a man in the middle attack. I.e. it is a way to eavesdrop communications between two parties possibly retrieving login credentials or other sensitive information. It is not a way to, directly, break into a system such as OPI but possibly get hold of the information you exchange with the unit.

Returning to OPI how is it affected by this? With the latest version 1.3 software upgrade we tightened security on the webserver and during this we disabled what is called “simple” Diffie-Hellman (DH) key exchange and only allow Elliptic-Curve Diffie-Hellman (ECDHE). Thus the web server at OPI is not affected by the Logjam Attack.

Regarding other services at OPI there are only two other that uses TLS encryption, the IMAP server Dovecot and the SMTP mailserver. (This is if you have not enabled SSH which also could use DH key exchange) Both of those could be susceptible of the Logjam Attack depending on how applications connect to the service.

We will review the configurations of these servers further on. The problem with this is that the clients that communicates with these services are a lot more diverse than the web browsers commonly used and the last thing we want to do is to lock out users from these services.