• Skip to primary navigation
  • Skip to content
  • Skip to footer
  • Home
  • Write for Us
  • Contact

TechWalls

Technology News | Gadget Reviews | Tutorials

  • Reviews
  • Tech News
  • Tech Guide
  • Gadget & Apps

Newly discovered HTTPS vulnerability leaves many connections exposed to attacks

Updated on Mar 7, 2016 by Chesky Ron

Millions of Internet users are facing the risk of cyber threats as security researchers uncovered a major flaw in the transport layer security that can expose usernames, passwords, banking credentials and credit card to attacks.

OpenSSL, the organization tasked with maintaining a set of encryption tools for the Internet, has called on websites to fix their servers before the flaw, called DROWN, goes to decrypt their Web traffic and snoop on the communication between users through man-in-the-middle attacks.

https

According to a group of researchers that discovered the vulnerability, a DROWN attack can abuse the SSLv2 flaw, a longtime issue in cryptography that continues to plague computer security at present. The vulnerability is then used to decrypt a current TLS session and even past sessions.

The flaw is the product of a series of errors committed by people who develop TLS, and it is lamentable that majority of Internet connections have to bear the brunt as a consequence.

A DROWN attack takes advantage of bugs in the SSLv2 protocol to crack the otherwise secure connections created under the TLS protocol. In a nutshell, the SSLv2 protocol has been vulnerable because its export suite is not configured to counter well-known attacks while TLS defends against those attacks, though both of them are built to support the RSA encryption.

As of this writing, one out of three HTTPS connections are exposed to attackers who might be able to penetrate unpatched web servers and snoop on communications between two users. That is so as far as estimates by security researchers go. At the core of the vulnerability are two outdated versions of OpenSSL that many web servers still use at present. Luckily, OpenSSL was quick to roll out software fixes designed to paralyze the SSLv2 protocol by default and terminate the SSLv2 export ciphers.

The vulnerability has been there for quite some time in the older iterations of the SSL protocol, but the latest version combines export crippled cryptography with backdoor vulnerability. The combination of the two resulted in a massive flaw that devastates all known SSLv2 implementation. OpenSSL advises that websites must no longer use any of the two protocols, but unfortunately, it is still in wide usage today.

This flaw in the SSLv2 protocol actually dates back to the 1990s export-grade cryptography that was developed in compliance with the restrictions set by the United States government, meaning the vulnerability is an indirect result of satisfying the federal government’s desire to take control of the export of cryptography in an erroneous way.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Footer

MaxConverter Review – A Free Online Video Converter

OLALA SG1 Bluetooth In-Ear Headphones Review – Tested and Not Recommended

TSUMBAY TS-BH07 Wireless In-Ear Headphones Review

Convert MOV to MP4 with Wondershare Video Converter Ultimate

Follow TechWalls

YoutubeFacebookTwitterInstagram

Recent Posts

  • MaxConverter Review – A Free Online Video Converter
  • The Really Helpful Tech that I’m Using Everyday
  • ImmuniWeb Discovery – A Thorough Vulnerability Assessment for Web and Mobile Applications
  • Top 5 Useful Technologies in Cars: Short Reviews

Disclosures

As an Amazon Associate, I earn from qualifying purchases.

TechWalls uses cookies for Google ads. Read about what we do with the data we gather in the Privacy Policy.

Copyright © 2019 · All Rights Reserved