DROWN vulnerable HTTPS connections

The OpenSSL project has just released updates 1.0.2g and 1.0.1s to address a high-severity security issue. The vulnerability allows DROWN attacks (CVE-2016 – 0800). THE allows attackers to bypass secure HTTPS connections and steal encrypted information.lock https DROWN

DROWN is short for “Decrypting RSA using Obsolete and Weakened eNcryption” or “From RSA using deprecated and weakened encryptions” and was discovered by a team of 15 researchers from various universities in the INFOSEC community.

The principle behind the DROWN attack is based on the presence of both SSLv2 and TLS protocols on target machines. It is an attack on both protocols, which means that it will use the weaknesses of SSLv2 against TLS.

The weakness comes from the Bleichenbacher attack on RSA, an encryption scheme used by SSL as well as TLS. Before there was an encrypted , the client should choose a random session key that is encrypted using RSA and sent to the server, which then authenticates the client and initiates the HTTPS connection.

The Bleichenbacher attack was discovered in the late 90s. It uses a way to obtain the original RSA key based only on a "yes" or "no" server response to the question "is this an RSA session key?"

The behind the DROWN attack discovered new ways to use the Bleichenbacher attack, leveraging SSLv2 fixes and additions.

The attack also works for TLS connections, a protocol is considered to be superior to SSL. However, regardless of the differences between them, both protocols use the same RSA session encryption key to create an HTTPS connection.

Who's in danger?

Only servers that are still using SSLv2 and TLS at the same time are vulnerable to vulnerability. So disabling SSLv2 on your server should be the first one you need to do.

In addition, researchers warn about a particular server setting that could expose systems to vulnerability even if the main site only uses TLS.

"You are also at risk if the certificate or a key from your site is used elsewhere on a server that does not support SSLv2," the researchers said.

"Common examples include SMTP, IMAP, POP mail servers, and the HTTPS secondary server used for specific web applications."

Let's say that Canonical in its honor has already informed Ubuntu.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.087 registrants.

2016drownhttpsSSLTLS

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).