Posts

Showing posts with the label ssl attack

The DROWN Attack

Image
The DROWN AttackDROWN stands for 'Decrypting RSA using Obsolete and Weakened Encryption'. In short what this means is that TLS connections to a large proportion of websites, mail servers and VPN's are open to an attack. SSLv2 was first released in 1995 and depreciated in 2011. It was found that 33% of all HTTPs servers and 22% of those with browser trusted certificates are vulnerable to the attack.  In a separate experiment it was found that OpenSSL, released in 1998, could also be vulnerable. By using an unpatched version of SSLv2, an attacker can decrypt a TLS cipher-text in one minute on a single CPU. This is fast enough to enable man-in-the-middle attacks against modern servers. 26% of all HTTPs servers are vulnerable to this attack. In most cases this vulnerability is simply due to server configurations not being updated. Some embedded devices that have not been updated in years are also vulnerable. OpenSSL, a free Apache toolkit for TLS and SSL protocols, provides an…