Expert have warned that Websites could be exposing themselves to an attack that can break and exploit HTTPS encryption protections in less than a minute.
Yep, that’s right. There’s another branded exploit out there, and this one is causing more concern than most. More than 33% of servers worldwide are vulnerable to an attack that can decrypt secure HTTPS protocol communications, such as credit card numbers and passwords, in less than a minute.
“DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data.”
The researchers behind this latest news, have said that more than 11 million websites and e-mail services using HTTPS, most commonly associated with a small padlock in web browsers, have exposed themselves significantly to Drown attacks.
“DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption, allows an attacker to decrypt intercepted TLS connections by making specially crafted connections to an SSLv2 server that uses the same private key.”
It works against HTTPS by sending specially crafted packets to a server, or if the certificate is shared on another server, effectively performing a Man-in-the-Middle attack.
Unfortunately, there’s little to nothing that end users can do to protect themselves against the effect of a DROWN attack, as the issue is server based in nature.
“Operators of vulnerable servers need to take action. There is nothing practical that browsers or end-users can do on their own to protect against this attack.”
In order to defend against DROWN attacks, server operators will have to ensure SSLv2 is disabled, or make sure that the private key is not shared across any other servers. Certificates for those affected will not have to re-issue certificates, but to prevent an attack from being successful, should react and take action straight away.
A fix has already been made available as part of an openSSL update released yesterday, but engaging in a DROWN attack against servers is apparently a relatively simple affair for those with the technical capability.