“More than eleven million https sites endangered by Drown attack ‘

Mar

2

2016

Security researchers have discovered a vulnerability that makes it possible to decrypt using the obsolete SSLv2 connections within hours that are secured with TLS. As a result, among other websites and mail servers affected.

The Drown -aanval with number CVE-2016-0800, which represents Decrypting using RSA Obsolete and Weakened Encryption works by building up several connections to a server using SSL v2. This might be outdated increasingly small pieces of information about the encryption key and can be decrypted in the end an intercepted TLS connection. A server is vulnerable to attack if it supports TLS and SSL v2 or the same private key is present on a SSLv2 server and a TLS server. One of these configurations according to the researchers at 33 percent of all HTTPS servers on the Internet for.

Normally disabled SSL v2, because it is an old ‘s implementation of the SSL protocol. Many servers appear, however, it is still to be supported, for example, by a wrong configuration. So it is in OpenSSL standard way that supports SSL v2 is disabled, but there are still managers who override these settings, reports Ars Technica. There are two vulnerabilities in OpenSSL, CVE-2015-3197 and CVE-2016-0703, which significantly easier and faster the attack. It is therefore recommended to perform the updates on Tuesday released . According to the researchers would no indication that the vulnerability is being actively used.

The attack, according to Ars Technica not easy to perform, because it assumes that the attacker can monitor traffic between a victim and the server. If the necessary information has been owned by the attacker, it can however with little trouble deciphering the connection. The researchers made a few hours before using the Amazon EC2 service for $ 440, converted approximately 405 euros.

The researchers have an online tool provided for checking whether a server is actually susceptible to the attack. It is not the first time, the security of SSL in the case, called the logjam attack was in May 2015 known .

Viewing:-188

In: Technology & Gadgets Asked By: [15754 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »