Revision as of 00:34, 2 March 2016 editMarkshale (talk | contribs)Extended confirmed users669 edits After the attack has extrscted the private key of the server, the security of the site is then totally compromised from then on.← Previous edit | Revision as of 00:34, 2 March 2016 edit undoMarkshale (talk | contribs)Extended confirmed users669 edits {{expert-subject|Cryptogrsphy}}Next edit → | ||
Line 1: | Line 1: | ||
{{expert-subject|Cryptogrsphy}} | |||
The '''DROWN''' attack is a ] that attacks servers supporting modern ] ]s by using their support for the obsolete, insecure, SSLv2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure.<ref>{{Cite web | The '''DROWN''' attack is a ] that attacks servers supporting modern ] ]s by using their support for the obsolete, insecure, SSLv2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure.<ref>{{Cite web | ||
| url = http://www.theregister.co.uk/2016/03/01/drown_tls_protocol_flaw/ | | url = http://www.theregister.co.uk/2016/03/01/drown_tls_protocol_flaw/ |
Revision as of 00:34, 2 March 2016
This article needs attention from an expert in Cryptogrsphy. Please add a reason or a talk parameter to this template to explain the issue with the article. WikiProject Cryptogrsphy may be able to help recruit an expert. |
The DROWN attack is a security bug that attacks servers supporting modern TLS protocol suites by using their support for the obsolete, insecure, SSLv2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure. Full details of DROWN were announced in March 2016, together with a patch for the exploit.
DROWN exploits a vulnerability in the protocols used and the configuration of the server, rather than any specific implementation error. According to the discoverers, the exploit cannot be fixed by making changes to client software such as web browsers.
The exploit includes a chosen-ciphertext attack and the use of a Bleichenbacher oracle. The proof-of-concept attack used commercial cloud computing to perform part of the codebreaking calculations, at a cost of around $400. After the attack has extrscted the private key of the server, the security of the site is then totally compromised from then on.
The OpenSSL group has released a security advisory, and a set of patches intended to mitigate the vulnerability by removing support for obsolete protocols and ciphers. Several other vulnerabilities were patched at the same time.,
References
- Leyden, John (1 March 2016). "One-third of all HTTPS websites open to DROWN attack". The Register. Retrieved 2016-03-02.
- Goodin, Dan (1 March 2016). "More than 11 million HTTPS websites imperiled by new decryption attack". Ars Technica. Retrieved 2016-03-02.
- "Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)". OpenSSL. 1 March 2016.
External links
TLS and SSL | |||||||||
---|---|---|---|---|---|---|---|---|---|
Protocols and technologies |
| ||||||||
Public-key infrastructure |
| ||||||||
See also |
| ||||||||
History | |||||||||
Implementations | |||||||||
Notaries | |||||||||
Vulnerabilities |
|
This cryptography-related article is a stub. You can help Misplaced Pages by expanding it. |