Johns Hopkins crypto researcher Matthew Green thinks he might have an explanation for how the NSA attacked VPN services: flaws in how TLS implements Diffie-Hellman crytography.
In what's bound to be the next big branded bug, Green says servers that support 512-key “export-grade” Diffie-Hellman (DH) can be forced to downgrade a connection to that weak level. The server – and therefore the client – will both still believe they're using stronger keys such as 768-bit or 1024-bit.
Like so many things – including the similar FREAK flaw – the bug is ancient: a 20-year-old SSL bug that was inherited by TLS.
Green has hosted a site discussing what's being called "Logjam", Weakdh.org, with a detailed academic paper here (PDF).