One third of HTTPS sites vulnerable to cheap hack, say researchers
A team of international researchers has discovered a security vulnerability that can be exploited in a relatively low-cost attack that will decrypt secured communications in only a few hours.
Up to one third of all HTTPS-secured websites, include around 80,000 of the world's most popular sites, are among those listed as being vulnerable to a DROWN attack, according to the researchers.
"DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS" and is described as a cross-protocol attack that can "decrypt passively collected TLS sessions from up-to-date clients".
According to the research team, "modern servers and clients use the TLS encryption protocol. However, due to misconfigurations, many servers also still support SSLv2, a 1990s-era predecessor to TLS. This support did not matter in practice, since no up-to-date clients actually use SSLv2. Therefore, even though SSLv2 is known to be badly insecure, until now, merely supporting SSLv2 was not considered a security problem, because clients never used it."
The team recommend server operators ensure that their private keys are not used anywhere with server software that allows SSLv2 connections, including web servers, SMTP servers, IMAP and POP servers.
You must be logged in in order to post comments. Log In