NETWORK SECURITY DROWN HTTPS Vulnerability Threatens 11 Million Open SSL Web Sites – CIO Today

12 months ago Comments Off on NETWORK SECURITY DROWN HTTPS Vulnerability Threatens 11 Million Open SSL Web Sites – CIO Today
A newly discovered vulnerability could threaten the security Relevant Products/Services of millions of Web sites previously thought to be relatively safe from attack Relevant Products/Services. The exploit, called a DROWN attack, affects sites protected by some of the most common security measures such as HTTPS, SSL, and TLS.

Using DROWN, a hacker can break encryptions to read users’ communications and steal usernames and passwords, credit card numbers, trade secrets and financial data Relevant Products/Services. Around 33 percent of all HTTPS servers are vulnerable to DROWN, a group that includes Web sites, mail servers, and other TLS-dependent services, according to the research team that discovered the exploit.

The End User Is Defenseless

The exploit was discovered by a group of researchers from a number of academic institutions, tech companies, and open source projects, including Tel Aviv University, the University of Pennsylvania, the Hashcat project, the University of Michigan, Google, and the OpenSSL project.

What appears to be particularly frightening is the lack of options for end users to protect themselves from the threat. “Operators of vulnerable servers need to take action,” the research team wrote. “There is nothing practical that browsers or end-users can do on their own to protect against this attack.”

Any server that still supports the antiquated SSLv2 protocol is at risk from a DROWN attack, according to the team. Even if a server’s private key is used on another server that supports SSLv2, it is vulnerable.

The DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) attack allows a hacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.

How To Protect Your System

Using one form of the attack, the researchers were able penetrate a vulnerable server in under a minute using a single PC. Even the general variant of the attack can be executed in less than eight hours for a total cost of $440, the researchers said.

To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. That includes Web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS. Disabling SSL, particularly across multiple servers, can be a daunting and complicated process.

The researchers said that DROWN is the result of the U.S. government’s encryption restrictions that were designed to weaken Internet security in the 1990s.

“Although these restrictions, evidently designed to make it easier for NSA (National Security Agency) to decrypt the communication of people abroad, were relaxed nearly 20 years ago, the weakened cryptography remains in the protocol specifications and continues to be supported by many servers today, adding complexity — and the potential for catastrophic failure — to some of the Internet’s most important security features,” the researchers said.

The government deliberately weakened three kinds of cryptographic primitives: RSA encryption, Diffie-Hellman key exchange, and symmetric ciphers, according to the research team. The team said that decades later all three kinds of deliberately weakened cryptography have put the security of the Internet at risk.

NETWORK SECURITY DROWN HTTPS Vulnerability Threatens 11 Million Open SSL Web Sites – CIO Today

Related Posts

Berlin lorry killer on the run after ‘IS’ attack

2 months ago
Police are hunting the driver of the lorry that ploughed into a busy Christmas market in Berlin as Islamic State claimed responsibility for the attack. World News – Breaking... Read More

Toyota and Volkswagen Step Up Investments in Tech Start-Ups – New York Times

9 months ago
To save articles or get newsletters, alerts or recommendations – all free. Don’t have an account yet?Create an account » Subscribed through iTunes and need an account?Learn more... Read More

Hands-on review: Updated: HP Elite x3

7 months ago
Windows phones aren’t in a good place, with its awfully slow rollout, limited app support and Microsoft’s own underwhelming handsets. HP wants to turn the tide with its new... Read More

Oculus cancels a "small number" of Rift pre-orders – SlashGear

1 year ago
With the virtual reality scene expected to explode in the next few month or so, many are eager, perhaps too much, to jump onboard before the ship gets too... Read More
Real Time Web Analytics