One-third of all HTTPS websites open to DROWN attack

Forum Moderators: phranque

Message Too Old, No Replies

One-third of all HTTPS websites open to DROWN attack

Fortunately fix on the way!

tangor

3:31 pm on Mar 1, 2016 (gmt 0)

Security researchers have discovered a new technique for deciphering the contents of supposedly secure communications.

The DROWN attack - it has already got a name, like recent high profile crypto attacks Lucky13, BEAST, and POODLE - is a “cross-protocol attack that can decrypt passively collected TLS sessions from up-to-date clients”.

[theregister.co.uk...]

engine

6:25 pm on Mar 1, 2016 (gmt 0)

This is not good at all, especially for a protocol that's not exactly new.

You can check your servers at [drownattack.com...]

JS_Harris

11:07 pm on Mar 1, 2016 (gmt 0)

Only misconfigured servers that still allow SSLv2 connections are vulnerable, apparently. Checking servers at that site is suspicious in that the page isn't actually processing anything(too fast) and is instead spitting out pre-evaluated 'results'. The site gives an 'all clean' to any small domain I try but checking something like ebay.com leads to dozens of entries.

I apologize for sounding skeptical, we're constantly bombarded with fear tactics designed to motivate us to adopt specific beliefs and 'questioning the answer' in this case just doesn't give complete answers. Besides, nothing is secure if it moves data over public connections. Is there a problem? Probably. Does it warrant my changing anything(including attitude)? Nope.

The 'Security researchers' are listed as Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar, and Yuval Shavitt all of which are associated with the drownattack website.

Tonearm

10:59 am on Mar 2, 2016 (gmt 0)

What's in it for them?

JS_Harris

10:40 pm on Mar 2, 2016 (gmt 0)

Fame? I don't know but they seem to want to name and patent the problem, and create a web property tool for it. In their own documentation they warn that they don't believe this flaw has ever been exploited but it might be now that they have done their reveal publicly so NOW webmasters should protect themselves. It would have been better for everyone if the problem was brought to those in a position to fix it first. I'm not sure they realize their site is now effectively a hacking guide, complete with all the liability that might entail?

I don't know, as I said something doesn't sit right with me about the whole finding but I can't point at why, yet. It might just be how they handled it but... I don't know. I don't like ignoring little red flags in my mind but have nothing to say they are wrong either. Smarter people than I will figure it out I'm sure.

iwolfpack

7:47 am on Mar 3, 2016 (gmt 0)

What steps are required to prevent, safe guard our sites?

Tonearm

5:04 pm on Mar 3, 2016 (gmt 0)

Is an openssl update required?