| Revision as of 00:22, 2 March 2016 editMarkshale (talk | contribs)Extended confirmed users669 edits more← Previous edit | Revision as of 00:22, 2 March 2016 edit undoMarkshale (talk | contribs)Extended confirmed users669 edits dateNext edit → | ||
| Line 13: | Line 13: | ||
| | website = Ars Technica | | website = Ars Technica | ||
| | access-date = 2016-03-02 | | access-date = 2016-03-02 | ||
| | date = 1 March 2016 | |||
| | first = Dan | | first = Dan | ||
| | last= Goodin | | last= Goodin | ||
Revision as of 00:22, 2 March 2016
The DROWN attack is a security bug that attacks servers supporting modern TLS protocol suites by using their support for the obsolete, insecure, SSLv2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure. Full details of DROWN were announced in March 2016, together with a patch for the exploit.
DROWN exploits a vulnerability in the protocols used and the configuration of the server, rather than any specific implementation error.
The OpenSSL group has released a security advisory, and a set of patches intended to mitigate the vulnerability by removing support for obsolete protocols and ciphers. Several other vulnerabilities were patched at the same time.,
References
- Leyden, John (1 March 2016). "One-third of all HTTPS websites open to DROWN attack". The Register. Retrieved 2016-03-02.
- Goodin, Dan (1 March 2016). "More than 11 million HTTPS websites imperiled by new decryption attack". Ars Technica. Retrieved 2016-03-02.
- "Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)". OpenSSL. 1 March 2016.
External links
| TLS and SSL | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| Protocols and technologies |
| ||||||||
| Public-key infrastructure |
| ||||||||
| See also |
| ||||||||
| History | |||||||||
| Implementations | |||||||||
| Notaries | |||||||||
| Vulnerabilities |
| ||||||||
 | This cryptography-related article is a stub. You can help Misplaced Pages by expanding it. |