Stephen Farrell will participate in the high level conference on “Protecting online privacy by enhancing IT security and strengthening EU IT capabilities”, organized by the European Parliament. The dates are Tuesday 8 and Wednesday 9 December 2015.

Participation is restricted to members of the EU Parliament, but the opening and closing session can be followed via a live video stream.

Log jam © 2007 born1945 (CC BY 2.0)

A group of fourteen researchers from France and the US presented a paper at CCS 2015 in which they showed several problems with the way Diffie-Hellman (DH) key-exchange is used in practice. The DH protocol sets up session keys for encrypted communications in VPNs, HTTPS, and other protocols. Being able to decode the DH key exchange thus allows a Man-in-the-Middle (MitM) to intercept and sometimes even alter the subsequent communication.

The paper is available in PDF. A smaller article concentrates on the implications for pervasive monitoring. And the authors made a Web site,, with advise for system administrators.

Logjam, an attack on 512-bit, “export-grade” DH keys

One problem is that encryption with 512-bit keys can now be broken in about a week with resources (storage and computing power) available to a typical university. That's not enough to read, let alone modify, a communication in real time… except when the same key is used over and over again. And that turns out to be the case: There are two 512-bit keys that account for 92% of servers. When the server's 512-bit prime number is known, recovering the session key takes about a minute, which is fast enough that many clients will not notice the slow start of the conversation.

As most clients and servers can handle 1024 bits and more, 512-bit keys should rarely be seen in practice, except that a MitM that can alter messages between the client and the server can make the server believe the client only handles 512-bit keys. Downgrading to 512 bits is a legacy from the times when the US didn't allow 1024-bit-capable software to be exported. The authors of the paper call this MitM attack the “LogJam” attack.

The authors approached several implementers of client and server software earlier this year and 512-bit support has since been disabled in the latest versions of many programs.

1024-bit keys not safe against Pervasive Monitoring

Of the 1024-bit keys, there is also a handful that are used by very many servers. However, even knowing the keys, 1024 bits is strong enough that recovering a session key is out of reach of most organisations. But not necessarily for an organisation with the resources of the NSA. Pre-computing factors for the most popular 1024-bit primes far enough to allow recovering session keys in a reasonable time would probably take a year and cost a billion dollars. But then the communications of some 18% of the most popular secure Web sites can be decoded; still not in real time, but the communications can be stored and promising ones can be decoded within weeks. An even larger percentage of VPNs and SSH servers is vulnerable to this attack.

It is not known if the NSA or any other organisation has actually done that work. The authors argue that some material made public by Edward Snowden can be explained by assuming the NSA has done so and is indeed capable of decoding a certain percentage of encrypted communications.

The authors therefore recommend to use 2048-bit keys, to generate new keys for every server installation instead of using the default keys that come with the software, and to use elliptic-curve DH instead of the traditional discrete-log DH, when possible.

Update 2015-10-15: Paul Wouters and Jari Arkko of the IAB posted an article on the IETF site with some pointers to work going on in the IETF and with a pointer to another article by Paul Wouters that argues that the authors of the LogJam paper overestimated the number of vulnerable VPN servers:

The short survey about Web security is now also available as a Surveymonkey questionnaire:

Web-security 5-question survey (via Surveymonkey)

The STREWS project is creating a roadmap for Web security in the next five years. In order not to miss any important aspects, STREWS has created a little survey with five questions. If you want good Web security research in the coming five years, please, help us by filling out this survey!

We will publish the anonymised results on the STREWS Web site.

(This version of the questionnaire requires a Web browser with Javascript, but allows you to remain anonymous. The version we posted earlier is also still available and requires no JavaScript, but it is on a partner Web site and we could, if we wanted to, see your IP address and e-mail.)

We opened a 5-question survey to validate the results for our roadmap. Please, help us by filling it out here:

Web-security 5-question survey

This very small Web-based survey asks for input about the use of Web technologies and concerns about Web security. It is aimed at everybody who creates or maintains a Web site.

In other news:

The IETF is preparing for its 94th meeting, which will be held in Yokohama, Japan, from 1 to 6 November 2015. Early-bird registration is open until 23 October.

W3C published another Working Draft of MediaStream Recording (this version is from 8 September 2015). It is part of the collection of technologies that form WebRTC, the subject of STREWS's first case study. This draft is joint work by the WebRTC and Device API Working Groups. It mentions, but does not yet solve, privacy issues with the MediaStream API.

Another update to the report of the STRINT workshop was published on September 4. This update, number 03, is likely to be the final draft before the report is republished as an Informational RFC.

We are inviting people, especially those who maintain Web sites, to fill in our survey:

STREWS Web-security interactive survey

We would like to know what security threats you care about most and what (technical) means you already deploy to protect your Web sites and the sites' users.

The STREWS project is tasked with writing a European Roadmap for Research on Web Security. It provides guidance for ongoing and future research and standardisation. The roadmap will be useful for the European Union in determining future funding for research projects; and for standards organisations such as W3C and the IETF, to direct the development of security-related standards.

This survey will help us assign priorities to the topics in the roadmap.

The roadmap, in the form of a report, will be freely available from this site later this year.

We would especially like to have your input if you are coordinator of a European project (7th Framework, Horizon 2020), but also if you are the maintainer of a Web site, whether big or small.

The survey asks about:

  1. Use of web technologies
  2. Awareness of Web Security challenges
  3. Use of security enhancements
  4. Known gaps
  5. Awareness of mitigation techniques
  6. Mobile aspects

The survey is open until 2 October 2015

The authors of the report of the STRINT workshop, held by STREWS in February 2014, published an updated report. This is the version 02, the third version after 00 and 01. It changes small (spelling) errors and it removes one appendix. The appendix, which contained the abstracts of all papers that were submitted to the workshop, is now integrated in the workshop's Web pages instead.

This version is officially still a draft. The final text will be an Internet RFC. When linking to the report, note that there there are several URLs:

  1. The version on the W3C Web site, integrated in the STRINT Web pages, will always contain the latest version of the report, i.e., the URL is constant, but the content changes when the report is updated.
  2. The data tracker at the IETF shows the version history of the report, including detailed changes, and has links to the various formats (plain text, XML, PDF and HTML) in which the current version is available.

The European Commission, in the context of its “Digital Agenda for Europe”, is organizing a conference on cybersecurity. Registration closes Monday May 25. From the conference pages:

This event […] will be devoted to trust and security in the digital world. Gunther Oettinger, Commissioner for Digital Economy and Society, will open the conference.

Two years after the adoption of the EU Cybersecurity Strategy, coinciding with the announcement of the Digital Single Market Strategy of which cybersecurity is an important component, the High-level Conference will provide an overview of the state of play of the implementation of the five main priorities of the Strategy and showcase highlights of its main actions.

The Conference will be an opportunity to explore the way forward regarding the proposal for a Network and Information Security Directive, the EU cybersecurity industrial strategy and the next steps for capacity building for cyber defence and fighting cybercrime.

The agenda is available in PDF.

The United States Computer Emergency Readiness Team (US-CERT) normally puts out alerts about security failures in individual software systems, but this time decided to publish an article about Man-In-The-Middle (MITM) attacks in general and four existing mitigation strategies.

After a brief introduction to MITM attacks, it recommends that developers and software managers look at four technologies: TLS 1.1 or higher, certificate pinning, DNS-based Authentication of Named Entities (DANE) and network notary servers.

(Link to IAB Web site.) (Link to ISOC Web site) The IAB and ISOC invite papers for a workhop on large-scale, coordinated responses to security attacks. The workshop is called CARIS (Coordinating Attack Response at Internet Scale) and will be held in Berlin (Germany) on June 19, co-located with the FIRST Conference.

See the IAB site for information about the workshop and instructions for submitting papers or expressions of interest.

The film poster shows Edward Snowden. When the STREWS project started, in October 2012, the plan included a workshop for early 2014 about WebRTC. The workshop would be a complement to the project's first case study. But in June 2013, something happened. Edward Snowden, an NSA employee at the time, talked to the Guardian newspaper and revealed details of the secret electronic surveillance operations conducted by the NSA and GCHQ.

One of the journalists present at the first meetings between Snowden and the Guardian, Laura Poitras, made a documentary about how it all started, based on film material she made at the time. The film, called Citizenfour, is already in cinemas in a few dozen countries and it receives high scores on IMDB.

A new Internet Draft called Effect of Ubiquitous Encryption by Kathleen Moriarty and Al Morton describes the hurdles on the way to ubiquitous use of encryption for all Internet traffic.

A new group has been proposed on the Community Groups site of W3C called the Cryptoledgers Community Group. It aims to create a network of researchers studying Bitcoin, Ethereum and other cryptoledger-based applications.

The W3C Technical Architecture Group (TAG) issued a set of guidelines for W3C's standardisation efforts in a statement called Securing the Web. The statement is partly in response to the STRINT workshop by STREWS, which it explicitly mentions as a source in the acknowledgements.

The IAB issued a similar statement in November, called the IAB Statement on Internet Confidentiality, which the W3C TAG mentions as another source for its own statement.

The minutes from the W3C Workshop on Privacy and User–Centric Controls were published at the end of November.

This workshop was organised by W3C, with support from STREWS. The organisation was led by Rigo Wenning. The workshop was held November 20–21 in Berlin.

The workshop attracted a good mix of implementers, content providers and researchers. Some topics already raised at the STRINT workhop came up again, such as default configurations vs user options. There were also demos of new user interfaces.

The W3C Workshop on Privacy and User–Centric Controls aims to study strategies for protecting people's private data on mobile devices. It brings together researchers and software developers, but also network operators and legislators.

Protecting data can take many forms: better user interfaces to make it clear to people what their data is used for; safer default settings for new apps; access control for metadata, such as log files; automatic deletion of old data; fine-grained permissions (which app or service can see which part of the data); anonymous/pseudonymous interaction with services; common terminology across apps and devices; etc.

Rigo Wenning, STREWS Technical Coordinator, is one of the organizers of the workshop and will be present in person.

Submission of position papers is possible until 31 October. See How to participate for detailed instructions.

The STRINT workshop concluded with some preliminary recommendations:

  • Encryption works and needs to be used more, despite its cost (which is steadily going down anyway).
  • Data minimization is worthwhile, too, but difficult: Traffic analysis research and protocol development need to work together.
  • The threat models discussed in the workshop should be written up in an RFC (either separately or as an update to BCP 72)
  • “Opportunistic Encryption” could benefit from a cookbook-like explanation for developers. (The term itself may also be confusing. Best effort encryption or opportunistic keying were suggested as alternatives.)
  • The technical community can do better in explaining the issues of Pervasive Monitoring to policy makers.
  • Similarly, user interfaces could be better. (Some people even argue that certain dangerous choices should simply not be offered anymore. But that requires concertation among software makers, otherwise some will be considered “broken” by users.) How to integrate UI issues into the processes of IETF and W3C needs further discussion.
  • Examples of good software configurations, guidelines for developers, cut-and-paste configurations for popular software, etc., can help. This is not standards work, but maybe the standards organizations can still help.
  • Software makers can do more to make the default (“out-of-the-box”) settings better for protecting privacy.
  • Captive portals, (and some firewalls, too) can and should be distinguished from real man-in-the-middle attacks. Maybe this just needs establishing common conventions with makers of such proxies, but maybe also new protocols.

There will be a full report later, but the slides, the minutes (day 1 and day 2), and the submitted papers are already available.

The STREWS project is guest editor for a special issue of the IEEE Internet Computing magazine. The theme is security and the real-time Web. This is a copy of the Call for Papers:

Call for Papers

The real-time Web (WebRTC) is a maturing technology involving many players in what could be a significant evolution or revolution for voice and video calls over the Internet. Although the WebRTC specifications attempt to address the security issues that will inevitably arise with making calls via the Web, there will nonetheless be a range of implementation, deployment, and other security issues that develop as this technology is deployed.

This special issue aims to bring together new research results from a variety of backgrounds that address these core challenges. Topics of interest include WebRTC security-related work in

  • key managment and public-key infrastructure for WebRTC;
  • browser and Web server security;
  • user privacy; and
  • user interfaces for WebRTC security.

We encourage submissions from both academic and industrial practitioners, especially as they pertain to open source tools or products, but content must have technical merit, not be an advertisement.

Submission Guidelines

All submissions must be original manuscripts of fewer than 5,000 words, focused on Internet technologies and implementations. All manuscripts are subject to peer review on both technical merit and relevance to international readership – primarily practising engineers and academics who are looking for material that introduces new technology and broadens familiarity with current topics. We do not accept white papers, and we discourage strictly theoretical or mathematical papers. To submit a manuscript, please log on to ScholarOne ( to create or access an account, which you can use to log on to IC's Author Center and upload your submission.


Contact the editors Lieven Desmet and Martin Johns at <>.

IPEN (Internet Privacy Engineering Network) was created earlier this year by the European Data Protection Supervisor to support the technical work needed to increase privacy on the Internet.

The first IPEN workshop will take place on 26 September 2014 in Berlin. STREWS will be represented by Stephen Farrell, who will be on one of the panel.

(Registration for the workshop is open until 7 September.)

The deadline for position papers for the STRINT workshop has passed and submission is now closed.

(Cartoon: Two security experts. “But how do we get e-mail security?” “Let's assume a PKI.”)

We are pleased with the large number of papers we received. The Program Committee is currently reviewing them and we expect to inform the authors of the results around January 31. The complete workshop program will be published around February 7.

The deadline for submitting position papers to the STRINT workshop has been extended to Monday 20 January 2014

See the workshop site for how to submit.

The first STREWS workshop will be a joint W3C and IAB workshop. The name of the workshop is STRINT (“Strengthening the Internet Against Pervasive Monitoring”) and it will take place in London, on March 1, 2014. That is just before IETF 89.

As the name suggests, the main topic will be pervasive monitoring as a security threat, and what W3C and IETF can do against it in their future technologies.

For more information, including how to participate, see the workshop pages.