There’s a new vulnerability knocking about and it affects the very internet traffic that’s meant to be the most secure, which is always what you want to hear. It’s called Drown and with all the encryption issues between Apple and the FBI it’s pretty topical too. Here’s what you need to know.
Security researchers from public universities, Google and open source groups have figured out a way to compromise some of the ‘secure’ traffic nipping around the internet. The vulnerability is a knock-back from government ‘backdoors’ that were implemented in encrypted traffic back in the day (sound familiar?) and it’s being likened to Poodle and some of the other mid-sized flaws that were hitting headlines last year.
As yet it doesn’t look like attackers have found a way to replicate the attack and a fix has been issued but it’ll probably just take a bit of time for web admins to protect their systems.
In tech talk, it’s an HTTPS encryption vulnerability (called Drown because of ‘Decrypting RSA with Obsolete and Weakened eNcryption’) and affects HTTPS websites and other network services that rely on SSLv2.
And in English: These cryptographic protocols are what helps you send information around the web encrypted; the vulnerability lets attackers potentially decrypt your encrypted info and have a gander at your personal info – passwords etc – providing they find some way of getting inbetween you and the website you’re trying to visit (think dodgy free café wifi).
The guys that discovered Drown reckon about a third of all HTTPS servers are vulnerable. A server is vulnerable to Drown if:
- It allows SSLv2 connections. This is an old-school type of SSL but some systems are still gonna use it.
- Its private key is used on any other server that allows SSLv2 connections, even for another protocol e.g. Lots of companies reuse the same certificate and key on their web and email servers.
You can use the Drown website to check whether your server could be at risk.
It’s down to server operators to ensure that their servers aren’t vulnerable by making sure that their private keys aren’t used anywhere with server software that allows SSLv2 connections. Most UKFast clients will no longer be using SSLv2 (or even SSLv3), due to the numerous other flaws against it, but please feel free to get in touch if you have any doubts.
It’s also a working example of the damage that encryption back doors can do. Apple and the FBI are hashing it out at the moment over whether Apple should provide a back door to their encryption so the FBI can get into the device of San Bernardino shooter Syed Farook. As this vuln shows, it’s probably not going to work out well for tech in the long term if this came to pass.
“These three attacks targeting different flaws from export-grade cryptography from the 90s are the best natural experiment we have about the long-term damage to security that can come from deliberately weakening cryptography,” said Nadia Heninger, an assistant computer and information science professor at the University of Pennsylvania and a member of the Drown attack research team.
If UKFast customers have any concerns please get in touch with your account manager.