Today it was announced that there’s a high level risk (DROWN
Attack) within the OpenSSL library that allows malicious actors to create
man-in-the-middle attacks against sessions using the ancient SSLv2 protocol. Not
only are the sessions which are still using the antiquated SSLv2 protocol
vulnerable, but any other service sharing the private key with this SSLv2
connection is at risk (E.G a web server using SSLv2, but a mail server using
TLS 1.2 with the same certificate are both vulnerable since the key can be used
to crack both sessions due to the SSLv2 vulnerability). At this point there is
no fix for this vulnerability except removing SSLv2 from the enterprise. Which was named vulnerable about 20 years ago.
And now for the very first time a vulnerability has it's very own theme song. Too soon? I think not. It's been 20 years in the making. CUE THE MUSIC!!
No comments:
Post a Comment