• Skip to primary navigation
  • Skip to main content
  • Skip to footer
  • Home
  • Write for Us
  • Contact
  • Advertise
  • Cookie Policy
    • Privacy statement (CA)
    • Cookie policy (CA)
    • Privacy statement (UK)
    • Cookie policy (UK)
    • Privacy statement (US)
    • Do Not Sell My Personal Information
    • Privacy statement (EU)
    • Cookie policy (EU)
    • Disclaimer

TechWalls

Technology News | Gadget Reviews | Tutorials

  • Reviews
  • Tech News
  • Tech Guide
  • Gadget & Apps

Newly discovered HTTPS vulnerability leaves many connections exposed to attacks

Updated on Mar 7, 2016 by Guest Authors

Millions of Internet users are facing the risk of cyber threats as security researchers uncovered a major flaw in the transport layer security that can expose usernames, passwords, banking credentials and credit card to attacks.

OpenSSL, the organization tasked with maintaining a set of encryption tools for the Internet, has called on websites to fix their servers before the flaw, called DROWN, goes to decrypt their Web traffic and snoop on the communication between users through man-in-the-middle attacks.

https

According to a group of researchers that discovered the vulnerability, a DROWN attack can abuse the SSLv2 flaw, a longtime issue in cryptography that continues to plague computer security at present. The vulnerability is then used to decrypt a current TLS session and even past sessions.

The flaw is the product of a series of errors committed by people who develop TLS, and it is lamentable that majority of Internet connections have to bear the brunt as a consequence.

A DROWN attack takes advantage of bugs in the SSLv2 protocol to crack the otherwise secure connections created under the TLS protocol. In a nutshell, the SSLv2 protocol has been vulnerable because its export suite is not configured to counter well-known attacks while TLS defends against those attacks, though both of them are built to support the RSA encryption.

As of this writing, one out of three HTTPS connections are exposed to attackers who might be able to penetrate unpatched web servers and snoop on communications between two users. That is so as far as estimates by security researchers go. At the core of the vulnerability are two outdated versions of OpenSSL that many web servers still use at present. Luckily, OpenSSL was quick to roll out software fixes designed to paralyze the SSLv2 protocol by default and terminate the SSLv2 export ciphers.

The vulnerability has been there for quite some time in the older iterations of the SSL protocol, but the latest version combines export crippled cryptography with backdoor vulnerability. The combination of the two resulted in a massive flaw that devastates all known SSLv2 implementation. OpenSSL advises that websites must no longer use any of the two protocols, but unfortunately, it is still in wide usage today.

This flaw in the SSLv2 protocol actually dates back to the 1990s export-grade cryptography that was developed in compliance with the restrictions set by the United States government, meaning the vulnerability is an indirect result of satisfying the federal government’s desire to take control of the export of cryptography in an erroneous way.

Disclosure: As an Amazon Associate, I earn from qualifying purchases. The commission help keep the rest of my content free, so thank you!

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Footer

Brigii Mini Vacuum Y120 Pro Review – Much More Useful than Expected

Keychron K4 Wireless Mechanical Keyboard Review – The Biggest & The Best?

GuraGear Chobe 2.0 Everyday Carry Bag Review

AuthenTrend AT.Wallet Fingerprint Cryptocurrency Wallet Review – The Coolest One You Can Buy

Follow TechWalls

YoutubeFacebookTwitterInstagram

Recent Posts

  • Brigii Mini Vacuum Y120 Pro Review – Much More Useful than Expected
  • Samsung Galaxy S21 Ultra Model Number SM-G998* Differences
  • Samsung Galaxy S21+ 5G Model Number SM-G996* Differences
  • Samsung Galaxy S21 5G Model Number SM-G991* Differences

Copyright © 2021 · All Rights Reserved