OpenSSL update fixes Drown vulnerability

An international team of researchers has uncovered an attack that can compromise encrypted network traffic in a matter of hours.

The Drown (Decrypting RSA with Obsolete and Weakened Encryption) attack successfully decrypts TLS (transport layer security) sessions by exploiting a vulnerability in the older SSL v2 protocol that exposes private RSA keys. Once again, old cryptography is breaking the security of all online communications.

Drown is different from other attacks against TLS in that it doesn’t need servers to be using the older version; the attack will succeed as long as the targeted system supports SSL v2. The cross-protocol attack (CVE-2016-0800) could lead to decryption of any encrypted session using SSL/TLS protocols as long as the server supports SSL v2 and uses RSA key exchange, the researchers said in their technical paper.

To read this article in full or to leave a comment, please click here