Dangerous New Attack Could Compromise One Third of All HTTPS Servers

A team of security researchers has uncovered a high-severity new attack that could make up to one third of all HTTPS web traffic vulnerable to compromise. The so-called DROWN attack (CVE-2016-0800) is a cross-protocol attack that exploits flaws in the SSLv2 protocol.

The attacker must passively observe around 1,000 TLS handshakes and initiate roughly 40,000 probe connections, performing computations offline to complete the attack. Running the computations on Amazon EC2 costs around $440.

The report indicates that 25% of the top one million domains, and 33% of all HTTPS sites, are vulnerable to the DROWN attack. The attack is focused on server systems, which typically manage the HTTPS process. The researchers add, "There is nothing practical that browsers or end-users can do on their own to protect against this attack."

The team that discovered DROWN has gone to considerable trouble to make information available to users. A website that went live at the moment of public disclosure includes a testing tool to check whether your systems are vulnerable.

Users are encouraged to disable SSLv2 "… in all SSL/TLS servers if you haven't done so already." Disabling SSLv2 ciphers without disabling the protocol is not sufficient, unless you have updated your systems with the patches for an earlier SSL problem (CVE 2015-3197), because an attack could force SSLv2 if it is present on the system.

The team also cautions not to share private keys among servers. According to the DROWN website, "Many companies reuse the same certificate and key on their web and email servers, for instance. In this case, if the email server supports SSLv2 and the web server does not, an attacker can take advantage of the email server to break TLS connections to the web server."

See the technical paper for additional information on the DROWN attack.

More Online

Linux Magazine

Off the Beat * Bruce Byfield

Compensating with Neon

A basic tenet of organizational theory is that, whenever the formal structures are inadequate, other structures emerge to compensate. And that, in a sentence, may explain why KDE Neon has emerged.

Why I Chose a Creative Commons License

I recently published a book called Designing with LibreOffice. The experience can be surreal, and some other time, I'll blog about incidents like my photo shoot, which was continually interrupted by a two-by-two line of 10-year-olds coming and going, or trying to plan a book launch menu that included vegetarian options and satisfied two different sets of allergies.

David Graham Provides Glimpse into FOSS in Canada's Government

Ordinarily, free and open source software receives little attention in the government of Canada. A rare exception occurred on Thursday, March 10 when David Graham, the Liberal Member of Parliament for Laurentides--Labelle (Québec) began asking questions before the Standing Committee On Government Operations and Estimates (Shared Services).

Productivity Sauce * Dmitri Popov

Use Node-RED to Get Twitter Mention Alerts

I don't use Twitter a lot, which explains why I often miss mentions from other users. But checking for mentions manually is as practical as playing tennis with a broom stick. Node-RED to the rescue!

Quick-and-Dirty Geotagging with a Bash Script

When you need to quickly geotag a bunch of photos with an approximate location (e.g., city and country), a simple Bash shell script can help you to do it much faster than a heavy-weight application like digiKam.

Open Note Scanner: Instant Note Digitizing on Android

There is no lack of apps of varying degrees of sophistication and quality that can transform your Android device into a handy note digitizing tool. And, if you prefer to keep things simple and open source, Open Note Scanner is what you need.


Finding and Recording Memory Errors * Jeff Layton

A recent article in IEEE Spectrum by Al Geist, titled "How To Kill A Supercomputer: Dirty Power, Cosmic Rays, and Bad Solder," reviewed some of the major ways a supercomputer can be killed. The first subject the author discussed was how cosmic rays can cause memory errors, both correctable and uncorrectable.

ADMIN Online

Linux Storage Stack Stacking Up * Werner Fischer and Georg Schönberger

Abstraction layers are the alpha and omega in the design of complex architectures. The Linux Storage Stack is an excellent example of well-coordinated layers. Access to storage media is abstracted through a unified interface, without sacrificing functionality.

Network virtualization with OpenDaylight * Sandro Lucifora

OpenDaylight provides a flexible solution for setting up a software-defined networking environment. We show you how to get started.

Monitoring Containers * Sebastian Meyer

A monitoring system helps avoid unpleasant surprises during operations, but admins need to modify existing solutions to fit a containerized world.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Wayland

    The X11 graphics protocol is showing some serious signs of age, but Wayland is poised to come to the rescue.

  • News

    Updates on Technologies, Trends, and Tools

  • Tech Tools
    • New Intel Xeon Phi
    • Intel-HP HPC Center
    • Oracle Supports Azure Cloud
    • Wayland 1.2 Released
    • Java Enterprise Edition 7 Released
  • RIP SSLv3

    The Internet community officially banishes the notoriously unsafe Secure Sockets Layer protocol.

  • News

    Updates on Technologies, Trends, and Tools

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95