A Third of All HTTPS Websites Vulnerable To DROWN Attack (drownattack.com)

← Back to Stories (view on slashdot.org)

A Third of All HTTPS Websites Vulnerable To DROWN Attack (drownattack.com)

Posted by timothy on Tuesday March 1, 2016 @05:48AM from the that-guy's-just-waving-about-sharks dept.

An anonymous reader writes: The OpenSSL project has released versions 1.0.2g and 1.0.1s to address a high severity security issue known as the DROWN attack (CVE-2016-0800) which allows attackers to break HTTPS and steal encrypted information. In layman terms, the attack uses an improperly patched issue (from 1998) in SSL to attack websites using the more modern TLS protocol. Servers where admins use SSL and TLS are in danger. Additionally, servers where only TLS is used, but the admins are sharing the same certificate for other servers where they have SSL, are also vulnerable, since the attack targets RSA, employed in both SSL and TLS. The entire attack is also easy to carry out, costing only $440 on Amazon EC2.

7 of 72 comments (clear)

Min score:

Reason:

Sort:

Re:Hiawatha by robmv · 2016-03-01 06:00 · Score: 4, Informative

It is not an OpenSSL exclusive problem, Is a protocol one. If you have SSLv2 enabled, you are vulnerable
Re:Hiawatha by Aethedor · 2016-03-01 06:03 · Score: 4, Interesting

Sure, but that's how mbed TLS (former PolarSSL, the TLS library used in Hiawatha) and Hiawatha helped me. mbed TLS dropped support for it long ago and Hiawatha uses sane and secure default settings. Without any tweaking, it gives you an A rating at ssllabs.com.

--
It doesn't have to be like this. All we need to do is make sure we keep talking.
Re:Wow, really? by Anonymous Coward · 2016-03-01 06:18 · Score: 4, Funny

Use open source software. OSS has had years if not decades of eyeballs scouring it for vulnerabilities. While occasionally something still gets found, it is not typically severe and is quickly patched.
[REDUNDANT] by darkain · 2016-03-01 06:40 · Score: 4, Funny

[REDUNDANT]
Good thing /. isn't vulnerable at all, thanks to its lack of HTTPS support!
Re:The name by Anonymous Coward · 2016-03-01 06:40 · Score: 3, Informative

It's actually an acronym(-ish) for Decrypting RSA with Obsolete and Weakened eNcryption.
It also lends itself to the term "my server got dr0wned".
Re:Hiawatha by WaffleMonster · 2016-03-01 06:47 · Score: 3, Insightful

So glad that I'm using a webserver that does NOT use this abomination called OpenSSL
It uses the abomination called PolarSSL with its own history of exploitable vulnerabilities.

and was writting with security in mind
Using naÃve heuristics to defend against SQLi and XSS demonstrates the opposite.

Drown, Heartbleed, Slowloris, etc, never caused me any trouble.
Whose fault is allowing SSLv2 and export ciphers in 2016? All those poor site operators... OpenSSL made me do it!!
--
https://technet.microsoft.com/...
Re: Wow, really? by Anonymous Coward · 2016-03-01 08:48 · Score: 5, Informative

Um, LibreSSL removed SSLv2, so no. It is not vulnerable.
http://undeadly.org/cgi?action=article&sid=20160301141941&mode=expanded