Millions of Internet users are facing the risk of cyber threats as security researchers uncovered a major flaw in the transport layer security that can expose usernames, passwords, banking credentials and credit card to attacks.
OpenSSL, the organization tasked with maintaining a set of encryption tools for the Internet, has called on websites to fix their servers before the flaw, called DROWN, goes to decrypt their Web traffic and snoop on the communication between users through man-in-the-middle attacks.
According to a group of researchers that discovered the vulnerability, a DROWN attack can abuse the SSLv2 flaw, a longtime issue in cryptography that continues to plague computer security at present. The vulnerability is then used to decrypt a current TLS session and even past sessions.
The flaw is the product of a series of errors committed by people who develop TLS, and it is lamentable that majority of Internet connections have to bear the brunt as a consequence.
A DROWN attack takes advantage of bugs in the SSLv2 protocol to crack the otherwise secure connections created under the TLS protocol. In a nutshell, the SSLv2 protocol has been vulnerable because its export suite is not configured to counter well-known attacks while TLS defends against those attacks, though both of them are built to support the RSA encryption.
As of this writing, one out of three HTTPS connections are exposed to attackers who might be able to penetrate unpatched web servers and snoop on communications between two users. That is so as far as estimates by security researchers go. At the core of the vulnerability are two outdated versions of OpenSSL that many web servers still use at present. Luckily, OpenSSL was quick to roll out software fixes designed to paralyze the SSLv2 protocol by default and terminate the SSLv2 export ciphers.
The vulnerability has been there for quite some time in the older iterations of the SSL protocol, but the latest version combines export crippled cryptography with backdoor vulnerability. The combination of the two resulted in a massive flaw that devastates all known SSLv2 implementation. OpenSSL advises that websites must no longer use any of the two protocols, but unfortunately, it is still in wide usage today.
This flaw in the SSLv2 protocol actually dates back to the 1990s export-grade cryptography that was developed in compliance with the restrictions set by the United States government, meaning the vulnerability is an indirect result of satisfying the federal government’s desire to take control of the export of cryptography in an erroneous way.