Welcome to WebmasterWorld Guest from 54.221.54.252

Forum Moderators: phranque

Message Too Old, No Replies

One-third of all HTTPS websites open to DROWN attack

Fortunately fix on the way!

     
3:31 pm on Mar 1, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:6968
votes: 389


Security researchers have discovered a new technique for deciphering the contents of supposedly secure communications.

The DROWN attack - it has already got a name, like recent high profile crypto attacks Lucky13, BEAST, and POODLE - is a “cross-protocol attack that can decrypt passively collected TLS sessions from up-to-date clients”.

[theregister.co.uk...]
6:25 pm on Mar 1, 2016 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:23279
votes: 360


This is not good at all, especially for a protocol that's not exactly new.

You can check your servers at [drownattack.com...]
11:07 pm on Mar 1, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:July 29, 2007
posts:1745
votes: 80


Only misconfigured servers that still allow SSLv2 connections are vulnerable, apparently. Checking servers at that site is suspicious in that the page isn't actually processing anything(too fast) and is instead spitting out pre-evaluated 'results'. The site gives an 'all clean' to any small domain I try but checking something like ebay.com leads to dozens of entries.

I apologize for sounding skeptical, we're constantly bombarded with fear tactics designed to motivate us to adopt specific beliefs and 'questioning the answer' in this case just doesn't give complete answers. Besides, nothing is secure if it moves data over public connections. Is there a problem? Probably. Does it warrant my changing anything(including attitude)? Nope.

The 'Security researchers' are listed as Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar, and Yuval Shavitt all of which are associated with the drownattack website.
10:59 am on Mar 2, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 5, 2002
posts: 1853
votes: 3


What's in it for them?
10:40 pm on Mar 2, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:July 29, 2007
posts:1745
votes: 80


Fame? I don't know but they seem to want to name and patent the problem, and create a web property tool for it. In their own documentation they warn that they don't believe this flaw has ever been exploited but it might be now that they have done their reveal publicly so NOW webmasters should protect themselves. It would have been better for everyone if the problem was brought to those in a position to fix it first. I'm not sure they realize their site is now effectively a hacking guide, complete with all the liability that might entail?

I don't know, as I said something doesn't sit right with me about the whole finding but I can't point at why, yet. It might just be how they handled it but... I don't know. I don't like ignoring little red flags in my mind but have nothing to say they are wrong either. Smarter people than I will figure it out I'm sure.
7:47 am on Mar 3, 2016 (gmt 0)

New User

joined:Mar 3, 2016
posts:1
votes: 0


What steps are required to prevent, safe guard our sites?
5:04 pm on Mar 3, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 5, 2002
posts: 1853
votes: 3


Is an openssl update required?