Date:02/03/16
As many as 11 million websites are at risk of a newly uncovered security vulnerability affecting HTTPS and other services that rely on SSL and TLS encryption, according to researchers.
They dubbed the vulnerability "DROWN".SSL and TLS are widely used to encrypt web transactions and other highly sensitive traffic. And, in an era when more and more governments are engaging in large-scale web surveillance, HTTPS has been increasingly deployed to protect people's browsing of ordinary websites, too.
"DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Our measurements indicate 33 per cent of all HTTPS servers are vulnerable to the attack," claim the researchers behind the paper that explains how it works.
Their research indicates that one-quarter of top-level domains deploying HTTPS and one-third of all sites are vulnerable to the security flaw. The DROWN flaw centers on continuing legacy support for outdated crypto by website operators. "Due to misconfigurations, many servers also still support SSLv2, a 1990s-era predecessor to TLS. This support did not matter in practice, since no up-to-date clients actually use SSLv2. Therefore, even though SSLv2 is known to be badly insecure, until now, merely supporting SSLv2 was not considered a security problem, because clients never used it.
"But DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key. "To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS," advise the researchers.
Millions of supposedly secure websites at risk from 'DROWN' SSL vulnerability
As many as 11 million websites are at risk of a newly uncovered security vulnerability affecting HTTPS and other services that rely on SSL and TLS encryption, according to researchers.They dubbed the vulnerability "DROWN".SSL and TLS are widely used to encrypt web transactions and other highly sensitive traffic. And, in an era when more and more governments are engaging in large-scale web surveillance, HTTPS has been increasingly deployed to protect people's browsing of ordinary websites, too.
"DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Our measurements indicate 33 per cent of all HTTPS servers are vulnerable to the attack," claim the researchers behind the paper that explains how it works.
Their research indicates that one-quarter of top-level domains deploying HTTPS and one-third of all sites are vulnerable to the security flaw. The DROWN flaw centers on continuing legacy support for outdated crypto by website operators. "Due to misconfigurations, many servers also still support SSLv2, a 1990s-era predecessor to TLS. This support did not matter in practice, since no up-to-date clients actually use SSLv2. Therefore, even though SSLv2 is known to be badly insecure, until now, merely supporting SSLv2 was not considered a security problem, because clients never used it.
"But DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key. "To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS," advise the researchers.
Views: 2050
©ictnews.az. All rights reserved.
Similar news
- Cellphone Use May Raise Cancer Risk
- Australian police pushes cyber safety education
- Vietnam aims to lead in e-government
- Senate Website Gets Hacked
- US builds net for cyber war games
- Japan enacts anti-computer virus law
- India passes law vs e-waste
- Anonymous Declares War On The City Of Orlando
- Microsoft highlights evolving dangers as online identity data proliferates
- Consumers want internet security to be provided by banks
- Government facilities targets of cyber attack
- South Korean web attacks might been war drill
- Sri Lanka to Establish National Passport Database to Increase Border Security
- Hi-tech crime agencies set to employ information security professionals
- Phone hacking and online campaign bring down the News of the World
