Friendly forums for passionate Dems!
More than 91 million posts since 2001
Home Latest Greatest Videos Forums Hide ads Join up!
Home Latest Greatest
Videos Forums Help
Hide ads Join up!
Latest Discussions»Latest Breaking News»DROWN HTTPS Vulnerability...
Welcome to DU! The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards. Join the community: Create a free account Support DU (and get rid of ads!): Become a Star Member Latest Breaking News General Discussion The DU Lounge All Forums Issue Forums Culture Forums Alliance Forums Region Forums Support Forums Help & Search

Latest Breaking News

Related: General Discussion, Editorials & Other Articles

IDemo

(16,926 posts) Wed Mar 2, 2016, 06:12 PM Mar 2016

DROWN HTTPS Vulnerability Threatens 11 Million Open SSL Web Sites

Source: CIO Today

A newly discovered vulnerability could threaten the security Relevant Products/Services of millions of Web sites previously thought to be relatively safe from attack Relevant Products/Services. The exploit, called a DROWN attack, affects sites protected by some of the most common security measures such as HTTPS, SSL, and TLS.

Using DROWN, a hacker can break encryptions to read users’ communications and steal usernames and passwords, credit card numbers, trade secrets and financial data Relevant Products/Services. Around 33 percent of all HTTPS servers are vulnerable to DROWN, a group that includes Web sites, mail servers, and other TLS-dependent services, according to the research team that discovered the exploit.

The exploit was discovered by a group of researchers from a number of academic institutions, tech companies, and open source projects, including Tel Aviv University, the University of Pennsylvania, the Hashcat project, the University of Michigan, Google, and the OpenSSL project.

What appears to be particularly frightening is the lack of options for end users to protect themselves from the threat. “Operators of vulnerable servers need to take action,” the research team wrote. “There is nothing practical that browsers or end-users can do on their own to protect against this attack.”

Read more: http://www.cio-today.com/article/index.php?story_id=0020002HFCKK

InfoView thread info, including edit history TrashPut this thread in your Trash Can (My DU » Trash Can) BookmarkAdd this thread to your Bookmarks (My DU » Bookmarks) 11 replies, 1740 views
ShareGet links to this post and/or share on social media AlertAlert this post for a rule violation PowersThere are no powers you can use on this post EditCannot edit other people's posts ReplyReply to this post EditCannot edit other people's posts Rec (12) ReplyReply to this post
11 replies = new reply since forum marked as read
Highlight: NoneDon't highlight anything 5 newestHighlight 5 most recent replies
DROWN HTTPS Vulnerability Threatens 11 Million Open SSL Web Sites (Original Post) IDemo Mar 2016 OP
great. 2naSalit Mar 2016 #1
And it's time to patch the firewall again... RiverNoord Mar 2016 #2
Priceless. bemildred Mar 2016 #3
Good ol NSA LiberalArkie Mar 2016 #4
+10000 Cavallo Mar 2016 #8
I've asked a friend for his opinion Tab Mar 2016 #5
This was in the L.A. Times print version this morning regarding Net Neutrality... C Moon Mar 2016 #6
I guess I should point out that Bill Clinton wanted a backdoor in all digital services. LiberalArkie Mar 2016 #7
I'd forgotten that Clinton was behind the "Clipper" debacle ... Nihil Mar 2016 #10
A 'One-time Pad is the only secure encryption PeoViejo Mar 2016 #9
First HEARTBLEED and now this? joshcryer Mar 2016 #11

bemildred

(90,061 posts)
3. Priceless.
Reply to IDemo (Original post)
Wed Mar 2, 2016, 06:22 PM
Mar 2016
The researchers said that DROWN is the result of the U.S. government’s encryption restrictions that were designed to weaken Internet security in the 1990s.

“Although these restrictions, evidently designed to make it easier for NSA (National Security Agency) to decrypt the communication of people abroad, were relaxed nearly 20 years ago, the weakened cryptography remains in the protocol specifications and continues to be supported by many servers today, adding complexity -- and the potential for catastrophic failure -- to some of the Internet’s most important security features,” the researchers said.

The government deliberately weakened three kinds of cryptographic primitives: RSA encryption, Diffie-Hellman key exchange, and symmetric ciphers, according to the research team. The team said that decades later all three kinds of deliberately weakened cryptography have put the security of the Internet at risk.
TopBack to the top of the page AlertAlert this post for a rule violation ShareGet links to this post PowersThere are no powers you can use on this post
  EditCannot edit other people's posts RecommendRecommend this post ReplyReply to this post

LiberalArkie

(15,703 posts)
4. Good ol NSA
Reply to IDemo (Original post)
Wed Mar 2, 2016, 06:24 PM
Mar 2016

The researchers said that DROWN is the result of the U.S. government’s encryption restrictions that were designed to weaken Internet security in the 1990s.

“Although these restrictions, evidently designed to make it easier for NSA (National Security Agency) to decrypt the communication of people abroad, were relaxed nearly 20 years ago, the weakened cryptography remains in the protocol specifications and continues to be supported by many servers today, adding complexity -- and the potential for catastrophic failure -- to some of the Internet’s most important security features,” the researchers said.

The government deliberately weakened three kinds of cryptographic primitives: RSA encryption, Diffie-Hellman key exchange, and symmetric ciphers, according to the research team. The team said that decades later all three kinds of deliberately weakened cryptography have put the security of the Internet at risk.

TopBack to the top of the page AlertAlert this post for a rule violation ShareGet links to this post PowersThere are no powers you can use on this post
  EditCannot edit other people's posts RecommendRecommend this post ReplyReply to this post

Tab

(11,093 posts)
5. I've asked a friend for his opinion
Reply to IDemo (Original post)
Wed Mar 2, 2016, 06:25 PM
Mar 2016

(he's a lead of one of the task forces that sets standards for the Internet)

I'm curious to see what his opinion is. Be happy to post a synopsis of what he said.

TopBack to the top of the page AlertAlert this post for a rule violation ShareGet links to this post PowersThere are no powers you can use on this post
  EditCannot edit other people's posts RecommendRecommend this post ReplyReply to this post

C Moon

(12,209 posts)
6. This was in the L.A. Times print version this morning regarding Net Neutrality...
Reply to IDemo (Original post)
Wed Mar 2, 2016, 06:42 PM
Mar 2016

Just one more thing the GOP is still trying to get their grubby hands on...

Strange that the article is nowhere to be found on the L.A. Times online version. :/
Maybe if I log in it's there somewhere.

http://www.pressreader.com/usa/los-angeles-times/20160302/281917362164461

Senator blasts Obama role in Internet ruling
WASH­ING­TON — Pres­i­dent Obama “un­duly inf lu­enced” fed­eral reg­u­la­tors to adopt tough net neu­tral­ity reg­u­la­tions for on­line traf­fic last year, ac­cord­ing to an in­ves­ti­ga­tion by a Repub­li­can sen­a­tor.

Tom Wheeler, chair­man of the Fed­eral Com­mu­ni­ca­tions Com­mis­sion, and his staff were fin­ish­ing work on a less heavy- handed ap­proach in Novem­ber 2014 when Obama pub­licly called for the agency to take a more ag­gres­sive and con­tro­ver­sial di­rec­tion, said a re­port re­leased Tues­day from Sen. Ron John­son ( R- Wis.), chair­man of the Se­nate Home­land Se­cu­rity and Govern­ment Af­fairs Com­mit­tee.

Obama urged the in­de­pen­dent FCC to put broad­band providers in the same le­gal cat­e­gory as more highly reg­u­lated con­ven­tional tele­phone com­pa­nies.

TopBack to the top of the page AlertAlert this post for a rule violation ShareGet links to this post PowersThere are no powers you can use on this post
  EditCannot edit other people's posts RecommendRecommend this post ReplyReply to this post

LiberalArkie

(15,703 posts)
7. I guess I should point out that Bill Clinton wanted a backdoor in all digital services.
Reply to IDemo (Original post)
Wed Mar 2, 2016, 06:50 PM
Mar 2016

He wanted a chip installed called "Clipper Chip" that would enable to gov to have free and anytime access to digital information. This did not pass, but putting mandatory back doors in the encryption software did. Until PGP came along.

TopBack to the top of the page AlertAlert this post for a rule violation ShareGet links to this post PowersThere are no powers you can use on this post
  EditCannot edit other people's posts RecommendRecommend this post ReplyReply to this post
 

Nihil

(13,508 posts)
10. I'd forgotten that Clinton was behind the "Clipper" debacle ...
Reply to LiberalArkie (Reply #7)
Thu Mar 3, 2016, 07:02 AM
Mar 2016

I'd have guessed at Bush I or even Reagan as it had slipped into my
personal memory hole ...

TopBack to the top of the page AlertAlert this post for a rule violation ShareGet links to this post PowersThere are no powers you can use on this post
  EditCannot edit other people's posts RecommendRecommend this post ReplyReply to this post
Reply to this discussion
Latest Discussions»Latest Breaking News»DROWN HTTPS Vulnerability...
Home | Latest Discussions | Greatest Discussions | Latest Videos | All Forums

About | Copyright | Privacy | Terms of service | Contact

In Memoriam

© 2001 - 2024 Democratic Underground, LLC. Thank you for visiting.