Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Third of All HTTPS Websites Vulnerable To DROWN Attack (drownattack.com)

Posted by timothy on from the that-guy's-just-waving-about-sharks dept.

An anonymous reader writes: The OpenSSL project has released versions 1.0.2g and 1.0.1s to address a high severity security issue known as the DROWN attack (CVE-2016-0800) which allows attackers to break HTTPS and steal encrypted information. In layman terms, the attack uses an improperly patched issue (from 1998) in SSL to attack websites using the more modern TLS protocol. Servers where admins use SSL and TLS are in danger. Additionally, servers where only TLS is used, but the admins are sharing the same certificate for other servers where they have SSL, are also vulnerable, since the attack targets RSA, employed in both SSL and TLS. The entire attack is also easy to carry out, costing only $440 on Amazon EC2.

4 of 72 comments (clear)

  1. Re:Hiawatha by robmv · · Score: 4, Informative

    It is not an OpenSSL exclusive problem, Is a protocol one. If you have SSLv2 enabled, you are vulnerable

  2. Re:The name by Anonymous Coward · · Score: 3, Informative

    It's actually an acronym(-ish) for Decrypting RSA with Obsolete and Weakened eNcryption.

    It also lends itself to the term "my server got dr0wned".

  3. Re: Wow, really? by Anonymous Coward · · Score: 2, Informative

    LibreSSL is more robust and is a lean version of OpenSSL.

  4. Re: Wow, really? by Anonymous Coward · · Score: 5, Informative

    Um, LibreSSL removed SSLv2, so no. It is not vulnerable.

    http://undeadly.org/cgi?action=article&sid=20160301141941&mode=expanded