More than 11 million HTTPS websites are at risk from a new Drown attack
After the deadly vulnerability heartbleed which shook the world last year, another critical vulnerability is looking for ways to create similar concerns. A newly discovered OpenSSL security gap activates an obsolete one protocol security, Secure Sockets Layer (SSLv2), to be used for attacks on modern websites.
Readers should understand the severity of this vulnerability, as virtually all banks, financial institutions, and other websites that collect personally identifiable information (PII) use HTTPS for secure communication between the user and web server.
The attack that exploits this vulnerability, called DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), is estimated to be able to kill at least a third of all HTTPS servers. Researchers who discovered the flaw stated that at least 11,5 millions of websites using the HTTPS protocol may be at risk from the Drown attack.
The Drown attack was revealed by academic researchers from the Department of Electrical Engineering, Tel Aviv University, Münster University of Applied Sciences, Horst Görtz Institute for IT Security, Ruhr University of Bochum, University of Pennsylvania, Hashcat Project, University of Michigan, Two Sigma / OpenSSL, Google / OpenSSL.
The researchers said: "We are already in a position to perform the attack on OpenSSL versions that are vulnerable to CVE-2016-0703 in less than one minute using a single computer. Even for servers that do not have these specific bugs, the general attack index, which runs against any SSLv2 server, can be run in less than 8 hours, with a total cost of $ 440. "
As for today, some of the top websites mentioned in Alexa are vulnerable to man-in-the-middle attacks based on Drown, including Yahoo, Sina and Alibaba. Even the first state bank, Bank of India, India, is vulnerable to CVE-2016-0703 (MITM attack), which allows potential hackers to decipher the recorded traffic and steal data.
The researchers said that outdated 7 versions of Microsoft Internet Information Services (IIS) were previously vulnerable, and versions of the Network Security ServicesNSS), a common cryptographic library embedded in many server products, before the 3.13 version of 2012, is also open to attack.
You can find out if your site is vulnerable by using it DROWN attack test site.
In any case, if you use OpenSSL for security, it's time to upgrade to 1.0.2g. OpenSSL 1.0.1 users will also need to upgrade to the 1.0.1s version.