Diffie-Hellman key exchange is one of the most common methods of establishing secure cryptographic keys on the Internet. It is the main key exchange mechanism in SSH and IPsec and a popular option in TLS. We examine how Diffie-Hellman is commonly implemented and deployed with these protocols and find that, in practice, it frequently offers less security than widely believed. There are two reasons for this. First, a surprising number of servers use weak Diffie-Hellman parameters or maintain support for obsolete 1990s-era export-grade crypto. We present Logjam, a novel flaw in TLS that lets a man-in-the-middle downgrade connections to a**export-gradea** Diffie-Hellman. More critically, the common practice of using standardized, hard-coded, or widely shared Diffie-Hellman parameters has the effect of dramatically reducing the cost of large-scale attacks, bringing some within range of feasibility today. In the 1024-bit case, we estimate that precomputation attacks are plausible given nation-state resources, and a close reading of published NSA leaks shows that the agencya**s attacks on VPNs are consistent with having achieved such a break. Joint work with David Adrian, Karthikeyan Bhargavan, J. Alex Halderman, Benjamin VanderSloot, EricWustrow, Zakir Durumeric, Pierrick Gaudry, Matthew Green, Drew Springall, Emmanuel ThomA(c), Luke Valenta, Santiago Zanella-BA(c)guelin, and Paul Zimmermann.