DROWN Attack - New Server SSL Encryption Vulnerability Announced, 1/3 of Internet Is At Risk

DROWN Attack Website ^ | March 1, 2016 | (Various researchers)

[dayglored]

As described in this paper "DROWN: Breaking TLS using SSLv2" (PDF), it is possible to crack current TLS encryption using an old, obsolete, but nevertheless still deployed protocol, SSLv2.

This is a server-side issue -- it is not something clients (normal users) can do anything about. Folks browsing the web have to rely on the system admins at their favorite websites, mail portals, banks, shops, etc. to fix this.

It is estimated that a third of the public servers on the Internet are vulnerable to this attack.

You can test the servers in a given domain using this tool from the researchers.

[dayglored]

System admins -- FIX YOUR SERVERS! ... PING!

You can find all the Windows Ping list threads with FR search: just search on keyword "windowspinglist".

[dayglored]

See also:

https://www.openssl.org/news/secadv/20160301.txt

[dayglored]

Ping for your lists.

[Talisker]

Banks?

Oh great.

[the_individual2014]

I need to send this to my security minded friends in IT.

[Blue Highway]

So is Free Republic at risk or not?

[rockrr]

lov.gov (The Library of Congress)? Why am I not surprised?

[EVO X]

Banks?

My CU is on the list.

If they overlooked this one, make me wonder what other server hardening they overlooked.

[Blue Highway]

Bank of America has a lot of vulnerabilities showing up on that test website

[WildHighlander57]

Bookmarking

[Chances Are]

So is Free Republic at risk or not?

It appears FR's secure server is at risk. Or, at least, that's what the offered tool says... CA....

[EVO X]

I suspect there might be some healthcare providers, too..

[Gideon7]

Huh? SSLv2 (and indeed all cipher suites using SSL) have been deprecated for a long time.

PCI compliance and auditing required SSL be turned off for a long time now.

[glasseye]

Found this...

Results for freerepublic.com
The following domain names are vulnerable to man-in-the-middle attacks. Attackers may be able to impersonate the server and steal or change data.
Update server software at all IP addresses shown, and ensure SSLv2 is disabled.
Vulnerable Domains: Vulnerable Because:
secure.freerepublic.com
www.secure.freerepublic.com
view certificate
209.157.64.202:443
is vulnerable to CVE-2016-0703

[Protect the Bill of Rights]

Vulnerable Domains:
secure.freerepublic.com
www.secure.freerepublic.com

View certificate:
https://censys.io/ipv4?q=0a88f0ade2749ef6e482c87e8542350548326f9282621f3e5f1d7411c229f03d

Vulnerable Because:
209.157.64.202:443
is vulnerable to CVE-2016-0703

[Protect the Bill of Rights]

GMTA-some faster than others. :)

[Kirkwood]

what is PCI compliance?

[Gideon7]

The MIM attack is theoretical. I’m not aware of it being exploited by hackers (you have to be/hack an ISP itself first).

The fix is easy. Just turn off TLS 1.1 and use 1.2 or later.

PCI audits have requrired dropping TLS 1.1 since mid 2015 anyway.

The whole article is FUD. Looks self promotional for some guy’s website.

[Gideon7]

PCI = Payment Card Industry. If you accept credit cards you get audited and scanned monthly and get flagged if you don’t comply.

Because of that software vendors are generally careful to keep web software up to date (Apache, IIS, etc).