DROWN attack: Difference between revisions

Browse history interactively ← Previous edit Next edit →Content deleted Content addedVisual WikitextInline

Revision as of 00:20, 2 March 2016 editMarkshale (talk \| contribs)Extended confirmed users669 edits mitigate the vulnerability by removing support for obsolete protocols and ciphers← Previous edit		Revision as of 00:22, 2 March 2016 edit undoMarkshale (talk \| contribs)Extended confirmed users669 edits moreNext edit →
Line 13:		Line 13:
	\| website = Ars Technica		\| website = Ars Technica
	\| access-date = 2016-03-02		\| access-date = 2016-03-02
			\| first = Dan
			\| last= Goodin
			\| website = Ars Technica
	}}</ref> Full details of DROWN were announced in March 2016, together with a patch for the exploit.		}}</ref> Full details of DROWN were announced in March 2016, together with a patch for the exploit.

Line 20:		Line 23:
	\| url = https://www.openssl.org/news/secadv/20160301.txt		\| url = https://www.openssl.org/news/secadv/20160301.txt
	\| title = Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)		\| title = Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
	\| last =		\| last =
	\| first =		\| first =
	\| date = 1 March 2016		\| date = 1 March 2016

Revision as of 00:22, 2 March 2016

The DROWN attack is a security bug that attacks servers supporting modern TLS protocol suites by using their support for the obsolete, insecure, SSLv2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure. Full details of DROWN were announced in March 2016, together with a patch for the exploit.

DROWN exploits a vulnerability in the protocols used and the configuration of the server, rather than any specific implementation error.

The OpenSSL group has released a security advisory, and a set of patches intended to mitigate the vulnerability by removing support for obsolete protocols and ciphers. Several other vulnerabilities were patched at the same time.,

References

Leyden, John (1 March 2016). "One-third of all HTTPS websites open to DROWN attack". The Register. Retrieved 2016-03-02.
Goodin, Dan. "More than 11 million HTTPS websites imperiled by new decryption attack". Ars Technica. Retrieved 2016-03-02.
"Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)". OpenSSL. 1 March 2016.

External links

TLS and SSL

Protocols and technologies

Transport Layer Security / Secure Sockets Layer (TLS/SSL)
Datagram Transport Layer Security (DTLS)
Server Name Indication (SNI)
Application-Layer Protocol Negotiation (ALPN)
DNS-based Authentication of Named Entities (DANE)
DNS Certification Authority Authorization (CAA)
HTTPS
HTTP Strict Transport Security (HSTS)
HTTP Public Key Pinning (HPKP)
OCSP stapling
Opportunistic TLS
Perfect forward secrecy

Public-key infrastructure

Automated Certificate Management Environment (ACME)
Certificate authority (CA)
CA/Browser Forum
Certificate policy
Certificate revocation
- Certificate revocation list (CRL)
- Online Certificate Status Protocol (OCSP)
- OCSP stapling
Domain-validated certificate (DV)
Extended Validation Certificate (EV)
Public key certificate
Public-key cryptography
Public key infrastructure (PKI)
Root certificate
Self-signed certificate