New TLS decryption attack affects one in three servers due to legacy SSLv2 support

Security researchers have discovered a new weakness that could allow attackers to spy on encrypted communications between users and one in three HTTPS servers.

The problem exits because many HTTPS servers still support the old and insecure SSL (Secure Sockets Layer) version 2 protocol. SSLv2 was superseded by SSLv3 in 1996, but only officially deprecated in 2011. SSLv3 was replaced, too, by the more modern TLS (Transport Layer Security) versions 1.0, 1.1 and 1.2.

SSLv2 should never be used for encrypted communications. However, security professional didn’t see support for it in server configurations as posing a security threat until now, because modern browsers and other TLS-capable clients wouldn’t use it.

To read this article in full or to leave a comment, please click here