• Skip to primary navigation
  • Skip to main content
  • Skip to footer
  • Home
  • Advertise With Us
  • Contact
  • Cookie Policy
    • Privacy statement (CA)
    • Cookie policy (CA)
    • Privacy statement (UK)
    • Cookie policy (UK)
    • Privacy statement (US)
    • Cookie Policy (US)
    • Privacy statement (EU)
    • Cookie policy (EU)
    • Disclaimer

TechWalls

Technology News | Gadget Reviews | Tutorials

  • Reviews
  • Tech News
  • Tech Guide
  • Gadget & Apps

Newly discovered HTTPS vulnerability leaves many connections exposed to attacks

Updated on Mar 7, 2016 by Guest Authors

Millions of Internet users are facing the risk of cyber threats as security researchers uncovered a major flaw in the transport layer security that can expose usernames, passwords, banking credentials and credit card to attacks.

OpenSSL, the organization tasked with maintaining a set of encryption tools for the Internet, has called on websites to fix their servers before the flaw, called DROWN, goes to decrypt their Web traffic and snoop on the communication between users through man-in-the-middle attacks.

https

According to a group of researchers that discovered the vulnerability, a DROWN attack can abuse the SSLv2 flaw, a longtime issue in cryptography that continues to plague computer security at present. The vulnerability is then used to decrypt a current TLS session and even past sessions.

The flaw is the product of a series of errors committed by people who develop TLS, and it is lamentable that majority of Internet connections have to bear the brunt as a consequence.

A DROWN attack takes advantage of bugs in the SSLv2 protocol to crack the otherwise secure connections created under the TLS protocol. In a nutshell, the SSLv2 protocol has been vulnerable because its export suite is not configured to counter well-known attacks while TLS defends against those attacks, though both of them are built to support the RSA encryption.

As of this writing, one out of three HTTPS connections are exposed to attackers who might be able to penetrate unpatched web servers and snoop on communications between two users. That is so as far as estimates by security researchers go. At the core of the vulnerability are two outdated versions of OpenSSL that many web servers still use at present. Luckily, OpenSSL was quick to roll out software fixes designed to paralyze the SSLv2 protocol by default and terminate the SSLv2 export ciphers.

The vulnerability has been there for quite some time in the older iterations of the SSL protocol, but the latest version combines export crippled cryptography with backdoor vulnerability. The combination of the two resulted in a massive flaw that devastates all known SSLv2 implementation. OpenSSL advises that websites must no longer use any of the two protocols, but unfortunately, it is still in wide usage today.

This flaw in the SSLv2 protocol actually dates back to the 1990s export-grade cryptography that was developed in compliance with the restrictions set by the United States government, meaning the vulnerability is an indirect result of satisfying the federal government’s desire to take control of the export of cryptography in an erroneous way.

Disclosure: We might earn commission from qualifying purchases. The commission help keep the rest of my content free, so thank you!

Footer

OpenRock S Review – Revolutionizing the World of Earbuds

AiDot OREiN & Linkind Matter Smart Light Bulb Review

ALLPOWERS SP033 200W Portable Solar Panel Review – Eco-Friendly Energy on the Go

Epomaker RT100, TH80 Pro, Shadow-X Mechanical Keyboard Reviewed

Follow TechWalls

YoutubeFacebookTwitterInstagram

Recent Posts

  • OpenRock S Review – Revolutionizing the World of Earbuds
  • AiDot OREiN & Linkind Matter Smart Light Bulb Review
  • OKP L1 Robot Vacuum Cleaner Review – Affordable Robot with LiDAR Navigation
  • KEF LS50 Bookshelf Speakers Review: A Sound Decision Over the LS50 Meta

Copyright © 2023 · All Rights Reserved

Manage Cookie Consent
We use technologies like cookies to store and/or access device information. We do this to improve browsing experience and to show personalized ads. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional cookies Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}