Tuesday, March 1, 2016

DROWN Attack Has Its Own Theme Song

Today it was announced that there’s a high level risk (DROWN Attack) within the OpenSSL library that allows malicious actors to create man-in-the-middle attacks against sessions using the ancient SSLv2 protocol. Not only are the sessions which are still using the antiquated SSLv2 protocol vulnerable, but any other service sharing the private key with this SSLv2 connection is at risk (E.G a web server using SSLv2, but a mail server using TLS 1.2 with the same certificate are both vulnerable since the key can be used to crack both sessions due to the SSLv2 vulnerability). At this point there is no fix for this vulnerability except removing SSLv2 from the enterprise. Which was named vulnerable about 20 years ago.

And now for the very first time a vulnerability has it's very own theme song. Too soon? I think not. It's been 20 years in the making. CUE THE MUSIC!!

No comments:

Post a Comment