NETWORK SECURITY DROWN HTTPS Vulnerability Threatens 11 Million Open SSL Web Sites – CIO Today

9 months ago Comments Off on NETWORK SECURITY DROWN HTTPS Vulnerability Threatens 11 Million Open SSL Web Sites – CIO Today
A newly discovered vulnerability could threaten the security Relevant Products/Services of millions of Web sites previously thought to be relatively safe from attack Relevant Products/Services. The exploit, called a DROWN attack, affects sites protected by some of the most common security measures such as HTTPS, SSL, and TLS.

Using DROWN, a hacker can break encryptions to read users’ communications and steal usernames and passwords, credit card numbers, trade secrets and financial data Relevant Products/Services. Around 33 percent of all HTTPS servers are vulnerable to DROWN, a group that includes Web sites, mail servers, and other TLS-dependent services, according to the research team that discovered the exploit.

The End User Is Defenseless

The exploit was discovered by a group of researchers from a number of academic institutions, tech companies, and open source projects, including Tel Aviv University, the University of Pennsylvania, the Hashcat project, the University of Michigan, Google, and the OpenSSL project.

What appears to be particularly frightening is the lack of options for end users to protect themselves from the threat. “Operators of vulnerable servers need to take action,” the research team wrote. “There is nothing practical that browsers or end-users can do on their own to protect against this attack.”

Any server that still supports the antiquated SSLv2 protocol is at risk from a DROWN attack, according to the team. Even if a server’s private key is used on another server that supports SSLv2, it is vulnerable.

The DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) attack allows a hacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.

How To Protect Your System

Using one form of the attack, the researchers were able penetrate a vulnerable server in under a minute using a single PC. Even the general variant of the attack can be executed in less than eight hours for a total cost of $440, the researchers said.

To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. That includes Web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS. Disabling SSL, particularly across multiple servers, can be a daunting and complicated process.

The researchers said that DROWN is the result of the U.S. government’s encryption restrictions that were designed to weaken Internet security in the 1990s.

“Although these restrictions, evidently designed to make it easier for NSA (National Security Agency) to decrypt the communication of people abroad, were relaxed nearly 20 years ago, the weakened cryptography remains in the protocol specifications and continues to be supported by many servers today, adding complexity — and the potential for catastrophic failure — to some of the Internet’s most important security features,” the researchers said.

The government deliberately weakened three kinds of cryptographic primitives: RSA encryption, Diffie-Hellman key exchange, and symmetric ciphers, according to the research team. The team said that decades later all three kinds of deliberately weakened cryptography have put the security of the Internet at risk.

NETWORK SECURITY DROWN HTTPS Vulnerability Threatens 11 Million Open SSL Web Sites – CIO Today

Related Posts

Google decides to retire Picasa, after Photos reaches 100 million users – Pulse Headlines

10 months ago
Google (NASDAQ: GOOG) has announced that it will shut down the image organizer and viewer, Picasa. The company wants to completely focus on Google Photos, a service... Read More

Essex hospital trust upgrades IT infrastructure

3 months ago
Mid Essex NHS Trust upgrades its storage infrastructure to keep up with increasing volumes of data ComputerWeekly: Enterprise software Read More

New statistical approach will help researchers better determine cause-effect

6 months ago
Researchers have developed a new statistical technique that can help scientists determine causation of effects they are studying. This method can help scientists advance research that otherwise would stall... Read More

Equinix to acquire 29 datacentres from Verizon for $3.6bn

3 days ago
Colocation giant Equinix hits the acquisition trail once more, as it continues on its quest to expand its global datacentre footprint ComputerWeekly: IT services and outsourcing Read More
Real Time Web Analytics