HTTPS Susceptible to Drown Attacks
Researchers on discovering that a new method tends to disable their encryption protection have cautioned websites that they could be exposed to spies. An expert has stated that a third of all computer servers using the HTTPS protocol tend to be represented often by a padlock in web browsers and were susceptible to the so called Drown attacks.
They have warned that the passwords, credit card numbers, emails as well as sensitive documents can be stolen as a result. The issue would be sought though it would take some time for several of the website administrators to protect their systems. A tool that would identify websites which tends to be susceptible has been released by the researchers. They have said that they had not released the code used to prove their theory since there seems to be several servers still susceptible to the attack.There is no evidence yet, that hackers have worked out how to replicate their technique.
An independent expert had commented that he had no doubt that the problem could be real. Prof Alan Woodward from the University of Surrey has stated that `what is shocking regarding this is that they have found a way to use a very old fault which we have known since 1998 and all this was perfectly avoidable.
Computer Server Prone to Attack Supporting Encryption SSlv2
It is the outcome of having used deliberately weakened encryption that people broke years ago and is now combing back to haunt us. Researchers, cyber-security experts from universities in Israel, Germany and US, together with member of Google’s security team have discovered that a computer server can be prone to attack by just supporting 1990s-era encryption protocol SSLv2 – Secure Sockets Layer version 2, even if it employs a day-to-day more modern encryption standards to scramble communications.
Older email servers, in practice, could be more likely in having this problem than the latest computers naturally used to power websites. However, several of the organisations tend to reuse encryption certificates and keys between the two sets of servers. Researchers have dubbed the flaw Drown, which is an acronym for decrypting the Rivest-Shamir Adleman – RSA process with obsolete together with weakened encryption.
Careless Server Configuration
They wrote that operators of vulnerable servers should take action. There is nothing practical which browsers or end-users can do on their own to protect against this attack. The SSLv2 procedure had been weakened deliberately since at the time of its development, the US government needed to attempt to restrict the availability of tough encryption standards to other countries.Prof Matthew Green from Johns Hopkins University had blogged that the problem is while clients such as web browsers have done away with SSLv2, several servers tend to support the protocol.
In most of the cases, it is the outcome of careless server configuration. In others, the fault lies with inferior obsolete embedded devices which have not seen an update of software in years and possibly never will. A considerable amount of computational force would be needed to mount a successful attack on a website.
However, researchers have stated that under normal situations, hackers tend to rent the needed capacity from Amazon’s cloud compute division for a sum of $440. Besides this, since several of the servers seem to be in danger to Drown had also been affected by separate bug, a successful attack could be carried out utilising a home computer.
