| Revision as of 00:27, 2 March 2016 editMarkshale (talk | contribs)Extended confirmed users669 edits more← Previous edit | Revision as of 00:30, 2 March 2016 edit undoMarkshale (talk | contribs)Extended confirmed users669 edits The proof-of-concept attack used commercial cloud computing to perform part of the codebreaking calculations, at a cost of around $400.Next edit → | ||
| Line 17: | Line 17: | ||
| | last= Goodin | | last= Goodin | ||
| | website = Ars Technica | | website = Ars Technica | ||
| }}</ref> Full details of DROWN were announced in March 2016, together with a patch for the exploit. | }}</ref> Full details of DROWN were announced in March 2016, together with a patch for the exploit. | ||
| DROWN exploits a vulnerability in the protocols used and the configuration of the server, rather than any specific implementation error. According to the discoverers, the exploit cannot be fixed by making changes to client software such as web browsers. | DROWN exploits a vulnerability in the protocols used and the configuration of the server, rather than any specific implementation error. According to the discoverers, the exploit cannot be fixed by making changes to client software such as web browsers. | ||
| The exploit includes a ] and the use of a ]. | The exploit includes a ] and the use of a ]. The proof-of-concept attack used commercial ] to perform part of the codebreaking calculations, at a cost of around $400. | ||
| The ] group has released a security advisory, and a set of patches intended to mitigate the vulnerability by removing support for obsolete protocols and ciphers.<ref>{{Cite web | The ] group has released a security advisory, and a set of patches intended to mitigate the vulnerability by removing support for obsolete protocols and ciphers.<ref>{{Cite web | ||
Revision as of 00:30, 2 March 2016
The DROWN attack is a security bug that attacks servers supporting modern TLS protocol suites by using their support for the obsolete, insecure, SSLv2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure. Full details of DROWN were announced in March 2016, together with a patch for the exploit.
DROWN exploits a vulnerability in the protocols used and the configuration of the server, rather than any specific implementation error. According to the discoverers, the exploit cannot be fixed by making changes to client software such as web browsers.
The exploit includes a chosen-ciphertext attack and the use of a Bleichenbacher oracle. The proof-of-concept attack used commercial cloud computing to perform part of the codebreaking calculations, at a cost of around $400.
The OpenSSL group has released a security advisory, and a set of patches intended to mitigate the vulnerability by removing support for obsolete protocols and ciphers. Several other vulnerabilities were patched at the same time.,
References
- Leyden, John (1 March 2016). "One-third of all HTTPS websites open to DROWN attack". The Register. Retrieved 2016-03-02.
- Goodin, Dan (1 March 2016). "More than 11 million HTTPS websites imperiled by new decryption attack". Ars Technica. Retrieved 2016-03-02.
- "Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)". OpenSSL. 1 March 2016.
External links
| TLS and SSL | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| Protocols and technologies |
| ||||||||
| Public-key infrastructure |
| ||||||||
| See also |
| ||||||||
| History | |||||||||
| Implementations | |||||||||
| Notaries | |||||||||
| Vulnerabilities |
| ||||||||
 | This cryptography-related article is a stub. You can help Misplaced Pages by expanding it. |