Blog Header Banner

Archive for the ‘desktop security’ tag

DROWN Attacks – Web Encryption No Longer Safe – Is My Web Site at Risk?   no comments

Posted at Apr 28, 2016 @ 9:07am Web hosting

drown-attackEncryption fills the headlines with stories of APPLE and decoding iPhones – but with all the security challenges and cyber threats today – its getting hard pressed to have a web site, computer, or mobile device and not realize your data is as private as you once thought.  Encryption is what protects (hides) the details of what we do online certain web sites – keeping your private banking or purchasing data (or online traffic hidden) from prying eyes.  But last month a new threat called DROWN was publicized that essentially made it so many web sites you shop, visit or utilize that you thought were secure and private via their https SSL encrypted access turned out to not be so private.

DROWN, standing for Decrypting RSA with Obsolete and Weakened eNcryption, is an xample of a cross-protocol attack that exploits weaknesses in the widely used online encryption protocol, SSLv2.  Using weaknesses in the SSLv2 implementations against TLS (transport layer security) hackers can “decrypt passively collected TLS sessions from up to date clients.” Or in simpler terms, hackers and anyone can see what you are doing, your personal details, and more when you thought you may of been protected by that SSL ‘lock’ protected symbol next to the web site you were shopping or visiting.

TLS is probably the most important security protocol on the internet.  Almost every action you take on the internet relies on the use of a TLS version.  Not just you accessing a web site, but a lot of the back behind the scenes things like email transmission, to database connections, to sending files between servers for backups.

Fortunately, the latest versions of OpenSSL do not utilize SSLv2 connections by default.  However, if your certificate or key is being used in another location on a server that supports SSLv2, you could be at risk.  For example, the mail service (POP, IMAP, SMTP connections).

A DRWON attack would be able to decrypt HTTPS connections, sending specifically designed packets to another server.  If the certificate is on more than one server, it is possible a MitM (man in the middle) attack can be successful.

Isn’t SSLv2 depreciated?  Why is this still a threat?  In the early 2000’s SSLv2 was still supported by browsers, to be used as a fallback protocol.  An attacker could easily trick the browser into using an older protocol.  Thankfully, this is no longer an issue if you are using a recent version of your web browser.

While browsers are no longer supporting SSLv2, most servers still do.  Most servers are configured to use both TLS and SSLv2.  This means both protocols would use the same RSA private key.  Therefore, any bugs in the SSLv2 protocol that use the private key, potentially could affect the security of TLS.

While this all may sound a little scary, as most security vulnerabilities are.  TurnKey Internet takes all security avenues very seriously.  Our web hosting servers and software are always kept up to date.  If your account is on any of our shared hosting packages, you have nothing to worry about.  Just in case, you want to test your sites security against DROWN or the server your account is hosted on.  Please feel free to do so here – https://drownattack.com/#check  You will need to use the IP address your site is living on and not your domain name – which you can easily find by using a DNS lookup service such as http://www.getip.com/.

If you need assistance finding your web sites IP, or reviewing your security  please send us a support ticket (helpdesk@turnkeyinternet.net) and we would be happy to tell you.

 

 

 

 

Share : Facebooktwitterredditlinkedinmail Follow Us : Facebooktwitterlinkedinyoutubeinstagram