Misplaced Pages

DROWN attack: Difference between revisions

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Browse history interactively← Previous editNext edit →Content deleted Content addedVisualWikitext
Revision as of 00:30, 2 March 2016 editMarkshale (talk | contribs)Extended confirmed users669 edits The proof-of-concept attack used commercial cloud computing to perform part of the codebreaking calculations, at a cost of around $400.← Previous edit Revision as of 00:34, 2 March 2016 edit undoMarkshale (talk | contribs)Extended confirmed users669 edits After the attack has extrscted the private key of the server, the security of the site is then totally compromised from then on.Next edit →
Line 21: Line 21:
DROWN exploits a vulnerability in the protocols used and the configuration of the server, rather than any specific implementation error. According to the discoverers, the exploit cannot be fixed by making changes to client software such as web browsers. DROWN exploits a vulnerability in the protocols used and the configuration of the server, rather than any specific implementation error. According to the discoverers, the exploit cannot be fixed by making changes to client software such as web browsers.


The exploit includes a ] and the use of a ]. The proof-of-concept attack used commercial ] to perform part of the codebreaking calculations, at a cost of around $400. The exploit includes a ] and the use of a ]. The proof-of-concept attack used commercial ] to perform part of the codebreaking calculations, at a cost of around $400. After the attack has extrscted the private key of the server, the security of the site is then totally compromised from then on.


The ] group has released a security advisory, and a set of patches intended to mitigate the vulnerability by removing support for obsolete protocols and ciphers.<ref>{{Cite web The ] group has released a security advisory, and a set of patches intended to mitigate the vulnerability by removing support for obsolete protocols and ciphers.<ref>{{Cite web

Revision as of 00:34, 2 March 2016

The DROWN attack is a security bug that attacks servers supporting modern TLS protocol suites by using their support for the obsolete, insecure, SSLv2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure. Full details of DROWN were announced in March 2016, together with a patch for the exploit.

DROWN exploits a vulnerability in the protocols used and the configuration of the server, rather than any specific implementation error. According to the discoverers, the exploit cannot be fixed by making changes to client software such as web browsers.

The exploit includes a chosen-ciphertext attack and the use of a Bleichenbacher oracle. The proof-of-concept attack used commercial cloud computing to perform part of the codebreaking calculations, at a cost of around $400. After the attack has extrscted the private key of the server, the security of the site is then totally compromised from then on.

The OpenSSL group has released a security advisory, and a set of patches intended to mitigate the vulnerability by removing support for obsolete protocols and ciphers. Several other vulnerabilities were patched at the same time.,

References

  1. Leyden, John (1 March 2016). "One-third of all HTTPS websites open to DROWN attack". The Register. Retrieved 2016-03-02.
  2. Goodin, Dan (1 March 2016). "More than 11 million HTTPS websites imperiled by new decryption attack". Ars Technica. Retrieved 2016-03-02.
  3. "Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)". OpenSSL. 1 March 2016.

External links

TLS and SSL
Protocols and technologies
Public-key infrastructure
See also
History
Implementations
Notaries
Vulnerabilities
Theory
Cipher
Protocol
Implementation


Stub icon

This cryptography-related article is a stub. You can help Misplaced Pages by expanding it.

Categories: