An international group of researchers has discovered that web traffic encrypted with Transport Layer Security (TLS) can be decrypted if a server also supports the antiquated SSLv2 cryptographic protocol. The researchers estimate that a staggering 33% of HTTPS-enabled sites are vulnerable to this attack, which they call DROWN, for Decrypting RSA using Obsolete and Weakened eNcryption.
While the SSLv2 protocol has long been known to be weak, the attack is significant because traffic encrypted with the stronger TLS protocol is potentially vulnerable. Communication from a client—like a web browser or mail transfer agent—that insists on TLS encryption may still be subject to the DROWN attack if the server it's talking to supports SSLv2. Using the main DROWN attack variant, the researchers say they were able to decrypt a 2048-bit RSA TLS cyphertext in less than 8 hours using just $440 worth of Amazon EC2 resources.
The attack has its own website that includes a technical paper with more details on how it works. Vulnerable services should move to disable SSLv2 support, and the site provides instructions for how to do so for popular software packages like OpenSSL and various web servers. To see if a domain or IP address is vulnerable to DROWN, you can enter it here.
|Toshiba expands its budget SSD lineup with its OCZ TL100||7|
|Rumor: Nvidia and Apple may reunite for future Mac GPUs||19|
|Razer Deathadder sheds Chroma skin to achieve Elite status||11|
|Microsoft locks down Edge with virtualization in Win10 Enterprise||17|
|X2 Siryus case maintains a constant 45 degrees||16|
|NZXT joins the tempered-glass party with the S340 Elite||15|
|Lenovo lays off another round of Motorola employees||24|
|EVGA's liquid-cooled GTX 1070 Hybrid card goes up for pre-order||17|
|Google Play Store doors are now open for a few Chrome OS devices||8|
|Rule 51: Always leave during the first round of cuts when you still can negotiate your termination benefits.||+23|