1. About the change
This change is in regard to the FlightStats Flex APIs, which reside at https://api.flightstats.com/ and are documented at https://developer.flightstats.com/. On July 27th, 2016 FlightStats modified the web servers at https://api.flightstats.com/ in order to increase encryption strength to acceptable levels. Specifically, we increased the encryption key size required during the Diffie-Hellman session key exchange, from 1024 bits to 2048 bits.
Using a key smaller than 2048 bits makes the TLS connection vulnerable to the "LogJam" attack technique. The vulnerability is well documented here: https://weakdh.org/
The list of ciphers that https://api.flightstats.com/ supports will not change, but all TLS connections are impacted, as TLS connections always use Diffie-Hellman key exchange.
----------
2. Who is affected?
Nearly all modern TLS implementions support 2048 bit Diffie-Hellman keys. Openssl-based clients, as well as Java 7 & 8 support it by default.
Java 6 and below do not support 2048 DH key sizes. An exception like the following will occur when a default Java 6 JRE attempts to connect with TLS and 2048 Diffie-Hellman keys:
Exception in thread "main" javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
Caused by: java.lang.RuntimeException: Could not generate DH keypair
Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)
----------
3. How can I test my software in advance?
If your software can establish a TLS connection to https://www.ssllabs.com/ssltest/viewMyClient.html, then it supports 2048 bit Diffie-Hellman keys.
----------
4. What if my software cannot support 2048 bit keys?
If you have software that cannot be modified to support 2048 bit keys, then we recommend installing an on-premise HTTPS proxy that can accept TLS connections with 1024 bit Diffie-Hellman keys, but then relay the requests to https://api.flightstats.com/ over a TLS connection with 2048 Diffie-Hellman keys. We cannot offer specific guidance on this matter, as it is highly dependent on the characteristics and constraints of your infrastructure.
----------
[END]
----------
0 Comments