DROWN HTTPS Vulnerability Threatens 11 Million Open SSL Web Sites
Source: CIO Today
A newly discovered vulnerability could threaten the security Relevant Products/Services of millions of Web sites previously thought to be relatively safe from attack Relevant Products/Services. The exploit, called a DROWN attack, affects sites protected by some of the most common security measures such as HTTPS, SSL, and TLS.
Using DROWN, a hacker can break encryptions to read users communications and steal usernames and passwords, credit card numbers, trade secrets and financial data Relevant Products/Services. Around 33 percent of all HTTPS servers are vulnerable to DROWN, a group that includes Web sites, mail servers, and other TLS-dependent services, according to the research team that discovered the exploit.
The exploit was discovered by a group of researchers from a number of academic institutions, tech companies, and open source projects, including Tel Aviv University, the University of Pennsylvania, the Hashcat project, the University of Michigan, Google, and the OpenSSL project.
What appears to be particularly frightening is the lack of options for end users to protect themselves from the threat. Operators of vulnerable servers need to take action, the research team wrote. There is nothing practical that browsers or end-users can do on their own to protect against this attack.
Read more: http://www.cio-today.com/article/index.php?story_id=0020002HFCKK
RiverNoord
(1,150 posts)bemildred
(90,061 posts)Although these restrictions, evidently designed to make it easier for NSA (National Security Agency) to decrypt the communication of people abroad, were relaxed nearly 20 years ago, the weakened cryptography remains in the protocol specifications and continues to be supported by many servers today, adding complexity -- and the potential for catastrophic failure -- to some of the Internets most important security features, the researchers said.
The government deliberately weakened three kinds of cryptographic primitives: RSA encryption, Diffie-Hellman key exchange, and symmetric ciphers, according to the research team. The team said that decades later all three kinds of deliberately weakened cryptography have put the security of the Internet at risk.
LiberalArkie
(15,703 posts)The researchers said that DROWN is the result of the U.S. governments encryption restrictions that were designed to weaken Internet security in the 1990s.
Although these restrictions, evidently designed to make it easier for NSA (National Security Agency) to decrypt the communication of people abroad, were relaxed nearly 20 years ago, the weakened cryptography remains in the protocol specifications and continues to be supported by many servers today, adding complexity -- and the potential for catastrophic failure -- to some of the Internets most important security features, the researchers said.
The government deliberately weakened three kinds of cryptographic primitives: RSA encryption, Diffie-Hellman key exchange, and symmetric ciphers, according to the research team. The team said that decades later all three kinds of deliberately weakened cryptography have put the security of the Internet at risk.
Tab
(11,093 posts)(he's a lead of one of the task forces that sets standards for the Internet)
I'm curious to see what his opinion is. Be happy to post a synopsis of what he said.
C Moon
(12,209 posts)Just one more thing the GOP is still trying to get their grubby hands on...
Strange that the article is nowhere to be found on the L.A. Times online version. :/
Maybe if I log in it's there somewhere.
http://www.pressreader.com/usa/los-angeles-times/20160302/281917362164461
Senator blasts Obama role in Internet ruling
WASHINGTON President Obama unduly inf luenced federal regulators to adopt tough net neutrality regulations for online traffic last year, according to an investigation by a Republican senator.
Tom Wheeler, chairman of the Federal Communications Commission, and his staff were finishing work on a less heavy- handed approach in November 2014 when Obama publicly called for the agency to take a more aggressive and controversial direction, said a report released Tuesday from Sen. Ron Johnson ( R- Wis.), chairman of the Senate Homeland Security and Government Affairs Committee.
Obama urged the independent FCC to put broadband providers in the same legal category as more highly regulated conventional telephone companies.
LiberalArkie
(15,703 posts)He wanted a chip installed called "Clipper Chip" that would enable to gov to have free and anytime access to digital information. This did not pass, but putting mandatory back doors in the encryption software did. Until PGP came along.
Nihil
(13,508 posts)I'd have guessed at Bush I or even Reagan as it had slipped into my
personal memory hole ...
PeoViejo
(2,178 posts)There is no key.
joshcryer
(62,269 posts)The NSA is not doing its fucking job.