1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenSSL update fixes DROWN vulnerability

Discussion in 'CSO' started by RSS, Mar 1, 2016.

  1. RSS

    RSS New Member Member

    An international team of researchers has uncovered an attack that can compromise encrypted network traffic in a matter of hours.

    The DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) attack successfully decrypts TLS (transport layer security) sessions by exploiting a vulnerability in the older SSL v2 protocol that exposes private RSA keys. Once again, old cryptography is breaking the security of all online communications.

    [ Safeguard your data! The tools you need to encrypt your communications and Web data. • The tools you need to encrypt your communications and Web data. • InfoWorld's encryption Deep Dive how-to report. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

    DROWN is different from other attacks against TLS in that it doesn't need servers to be using the older version; the attack will succeed as long as the targeted system supports SSL v2. The cross-protocol attack (CVE-2016-0800) could lead to decryption of any encrypted session using SSL/TLS protocols as long as the server supports SSL v2 and uses RSA key exchange, the researchers said in their technical paper.

    To read this article in full or to leave a comment, please click here

    Continue reading...

Share This Page