Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

About 34.6 percent of all HTTPS websites open to Drown attack

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

March 2, 2016

Internet security researchers have discovered a new hacker technique for deciphering the contents of supposedly 'secure' communications.

Dubbed the Drown attack, similiar to recent high profile crypto attacks Lucky13, BEAST, and POODLE, is a “cross-protocol attack that can decrypt passively collected TLS sessions from up-to-date clients”.

One version of the attack exploits a combination of thus far unnoticed protocol security flaws in SSLv2 to develop a new and stronger variant of the earlier Bleichenbacher attack.

“A typical scenario requires the attacker to observe 1,000 TLS handshakes, then initiate 40,000 SSLv2 connections and perform 250 offline work to decrypt a 2048-bit RSA TLS cipher-text,” the researchers explain.

Number-crunching using supercomputers is not needed to pull off the attack, which is way below the level of sophistication of intelligence agencies.

A team of researchers from universities in Germany, the United States and Israel as well as two OpenSSL developers implemented the attack and can decrypt a TLS 1.2 handshake using 2048-bit RSA in under eight-hours.

Even lower-cost attacks are also possible by applying the new techniques together with a newly discovered security vulnerability in OpenSSL that was present in releases from 1998 to early 2015.

“Given an unpatched SSLv2 server to use as a proxy, we can decrypt a TLS cipher-text in minutes on a single CPU—fast enough to enable man-in-the-middle attacks against modern browsers,” the Drown researchers warned.

Fortunately, OpenSSL is publishing a fix: OpenSSL versions 1.0.2g and 1.0.1s to deal with the protocol security flaw. Many systems are vulnerable to an attack that may be comparable with Heartbleed.

“This security vulnerability is more than a product issue, it's a protocol flaw,” according to Ivan Ristic, a software engineer and founder of SSL Labs. “The impact is significant,” he warned.

Using internet-wide scans, the researchers found that 38 percent of all HTTPS servers and 22 percent of those with browser-trusted certificates are also vulnerable to the protocol-level attack, due to widespread key and certificate reutilization.

Security researchers say that about 26 percent of the top million sites listed by Alexa are vulnerable to breaking TLS through attacking SSL v2.

Additionally, the researchers discovered the QUIC protocol is also vulnerable to a “variant of our attack that allows an attacker to impersonate a server indefinitely”.

“We thus conclude that SSLv2 is not only weak, but actively harmful to the TLS ecosystem,” the researchers warned at the outset.

A whitepaper on the research-- 'Drown: Breaking TLS using SSLv2' was uploaded to the web yesterday. Not only OpenSSL is vulnerable to the CVE-2016-0800 bug, as an advisory by Red Hat explains. A padding oracle flaw was also found in the Secure Sockets Layer version 2.0 (SSLv2) protocol.

An attacker can potentially use that security flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections.

This cross-protocol attack is publicly referred to as Drown. The release of the research coincide with the start of the RSA Conference. Some estimates suggest that about 68.3 percent of all web servers use software reliant on open-source OpenSSL.

Security watchers everywhere pay very close attention to OpenSSL vulnerabilities, particularly since the infamous Heartbleed attack of April 2014. Drown is not as bad as Heartbleed but it’s comparable, which is bad enough in and of itself.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer