Posted on 03/02/2016 1:10:04 PM PST by dayglored
As described in this paper "DROWN: Breaking TLS using SSLv2" (PDF), it is possible to crack current TLS encryption using an old, obsolete, but nevertheless still deployed protocol, SSLv2.
This is a server-side issue -- it is not something clients (normal users) can do anything about. Folks browsing the web have to rely on the system admins at their favorite websites, mail portals, banks, shops, etc. to fix this.
It is estimated that a third of the public servers on the Internet are vulnerable to this attack.
You can test the servers in a given domain using this tool from the researchers.
Ping for your lists.
Banks?
Oh great.
I need to send this to my security minded friends in IT.
So is Free Republic at risk or not?
lov.gov (The Library of Congress)? Why am I not surprised?
My CU is on the list.
If they overlooked this one, make me wonder what other server hardening they overlooked.
Bank of America has a lot of vulnerabilities showing up on that test website
Bookmarking
It appears FR's secure server is at risk. Or, at least, that's what the offered tool says... CA....
I suspect there might be some healthcare providers, too..
Huh? SSLv2 (and indeed all cipher suites using SSL) have been deprecated for a long time.
PCI compliance and auditing required SSL be turned off for a long time now.
Found this...
Results for freerepublic.com
The following domain names are vulnerable to man-in-the-middle attacks. Attackers may be able to impersonate the server and steal or change data.
Update server software at all IP addresses shown, and ensure SSLv2 is disabled.
Vulnerable Domains: Vulnerable Because:
secure.freerepublic.com
www.secure.freerepublic.com
view certificate
209.157.64.202:443
is vulnerable to CVE-2016-0703
Vulnerable Domains:
secure.freerepublic.com
www.secure.freerepublic.com
View certificate:
https://censys.io/ipv4?q=0a88f0ade2749ef6e482c87e8542350548326f9282621f3e5f1d7411c229f03d
Vulnerable Because:
209.157.64.202:443
is vulnerable to CVE-2016-0703
GMTA-some faster than others. :)
what is PCI compliance?
The MIM attack is theoretical. I’m not aware of it being exploited by hackers (you have to be/hack an ISP itself first).
The fix is easy. Just turn off TLS 1.1 and use 1.2 or later.
PCI audits have requrired dropping TLS 1.1 since mid 2015 anyway.
The whole article is FUD. Looks self promotional for some guy’s website.
PCI = Payment Card Industry. If you accept credit cards you get audited and scanned monthly and get flagged if you don’t comply.
Because of that software vendors are generally careful to keep web software up to date (Apache, IIS, etc).
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.