14 DAY TRIAL // The newest release for Node.js runtime environment includes an update for the OpenSSL crypto library with fixes against downgrading the encryption offered by the Diffie-Hellman cryptographic key exchange mechanism.
Node.js is a platform for creating scalable network applications in a faster and more efficient way. It relies on an event-driven model for building JavaScript server-side apps that can handle large amounts of data in real time and can be deployed across distributed devices.
The Diffie-Hellman key exchange mechanism ensures secure communication between two parties that are unknown to one another, and it is implemented in numerous web and mail services. The keys swapped are temporary and help decrypt only part of the conversation, not the entire session between two clients.
The Logjam vulnerability touches on the TLS (Transport Layer Security) secure communication protocol, which includes export-grade variants of Diffie-Hellman that rely on easy-to-break 512-bit cryptography.
Update removes crypto key downgrade and DoS attack possibilities
The solution to the problem, now passed into Node.js 0.12.5, was to prevent handshakes for Diffie-Hellman keys shorter than 768 bits.
“Although it is a breaking change in a stable version, the Node.js TSC determined that this is the best path forward to ensure the security of software written with this and future stable versions of node,” informs an advisory from the developers.
Should problems occur, developers are asked to make them known on the project’s GitHub page dedicated for collecting trouble reports.
The new revision released this week incorporates OpenSSL 1.0.1o, which addresses multiple security vulnerabilities, including CVE-2015-1788. Exploiting this security flaw in TLS applications written with Node.js can cause a denial-of-service condition on them.
Updated versions for Node.js compiled for all supported platforms are available straight from the developer.