DROWN vulnerable HTTPS connections

The OpenSSL project has just released updates 1.0.2g and 1.0.1s to address a high-severity security issue. THE επιτρέπει επιθέσεις DROWN (CVE-2016 – 0800). Η επίθεση επιτρέπει στους επιτιθέμενους να παρακάμψουν ασφαλείς συνδέσεις HTTPS και να υποκλέψουν κρυπτογραφημένες .lock https DROWN

DROWN is short for “Decrypting RSA using Obsolete and Weakened eNcryption” or “From RSA χρησιμοποιώντας πεπαλαιωμένες και αποδυναμωμένες κρυπτογραφήσεις” και ανακαλύφθηκε από μια 15 ερευνητών από διάφορα πανεπιστήμια της community.

The principle behind the DROWN attack is based on the presence of both SSLv2 and TLS protocols on target machines. It is an attack on both protocols, which means that it will use the weaknesses of SSLv2 against TLS.

The weakness stems from the Bleichenbacher attack on RSA, an encryption system used by SSL and TLS. Before there is an encrypted connection, the client should select a random session key that is encrypted via RSA and sent to the server, which then validates the client and initiates the HTTPS connection.

The Bleichenbacher attack was discovered in the late 90s. It uses a way to obtain the original RSA key based only on a "yes" or "no" server response to the question "is this an RSA session key?"

The researchers behind the DROWN attack discovered new ways of using the Bleichenbacher attack, utilizing SSLv2 fixes and additions.

The attack also works for TLS connections, a protocol is considered to be superior to SSL. However, regardless of the differences between them, both protocols use the same RSA session encryption key to create an HTTPS connection.

Who's in danger?

Only the that still use SSLv2 and TLS at the same time are vulnerable to the vulnerability. So disabling SSLv2 on your server should be the first thing you do.

In addition, researchers warn about a particular server setting that could expose systems to vulnerability even if the main site only uses TLS.

"You are also at risk if the certificate or a key from your site is used elsewhere on a server that does not support SSLv2," the researchers said.

"Common examples include SMTP, IMAP, POP mail servers, but also the secondary HTTPS server used for specific . "

Let's mention that Canonical to της, έχει ενημερώσει ήδη το λειτουργικό .

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).