Rabitə və İnformasiya Texnologiyaları Nazirliyinin elektron xəbər xidməti
Millions of supposedly secure websites at risk from 'DROWN' SSL vulnerability
As many as 11 million websites are at risk of a newly uncovered security vulnerability affecting HTTPS and other services that rely on SSL and TLS encryption, according to researchers.
They dubbed the vulnerability "DROWN".SSL and TLS are widely used to encrypt web transactions and other highly sensitive traffic. And, in an era when more and more governments are engaging in large-scale web surveillance, HTTPS has been increasingly deployed to protect people's browsing of ordinary websites, too.
"DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Our measurements indicate 33 per cent of all HTTPS servers are vulnerable to the attack," claim the researchers behind the paper that explains how it works.
Their research indicates that one-quarter of top-level domains deploying HTTPS and one-third of all sites are vulnerable to the security flaw. The DROWN flaw centers on continuing legacy support for outdated crypto by website operators. "Due to misconfigurations, many servers also still support SSLv2, a 1990s-era predecessor to TLS. This support did not matter in practice, since no up-to-date clients actually use SSLv2. Therefore, even though SSLv2 is known to be badly insecure, until now, merely supporting SSLv2 was not considered a security problem, because clients never used it.
"But DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key. "To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS," advise the researchers.
02/03/16 Çap et