A security vulnerability currently exposes several million websites. This is reported by security researchers who have succeeded in using the so-called “Drown Attack” to capture all user data from affected sites – including well-known websites such as Yahoo, Dailymotion and Buzzfeed
This is made possible by the obsolete encryption technology SSLv2. Their uncertainty is well known and is therefore hardly used, on many servers SSLv2 runs nevertheless in the background. This vulnerability has now been exploited by the researchers as they report on their info page on the Drown attack.
For this, the team first recorded passively the actually secure TLS traffic. A server attack via SSLv2, with which the so-called pre-master-secret was cracked, was carried out, thus decrypting the previously recorded data traffic is possible. The period of the data is irrelevant - even years of old traffic can be deciphered as easily.
The Drown attack has parallels to a similar vulnerability that has made the network unsafe two years ago: OpenSSL encryption was cracked at the "Heartbleed" vulnerability, endangering more than two-thirds of all Web servers.
No comments:
Post a Comment