New 'Drown' Bug: Millions of Secure Sites Could be at Risk
An estimated 11 million secure websites could be vulnerable to hackers exploiting a security bug. Amazingly, the bug has to do with technology that is over 20 years old. There's little, if anything website visitors can do as the bug needs fixing by site operators. However, it is possible to check if a site appears to be vulnerable.
The bug has been dubbed Drown, a name rather tenuously derived from "Decrypting the RSA algorithm with Obsolete and Weakened eNcryption."
Researchers who uncovered the bug aren't publishing the precise details. At the moment it's not known if hackers were aware of the bug or actively seeking to exploit it, but even if they weren't, the clock is now clearly ticking as they'll have been tipped off by the revelations.
1990s Security Technology at Fault
The bug actually involves SSL2, an encryption technique used back in the 1990s that's now considered extremely outdated. The problem is that the bug affects websites which still support SSL2, even if they don't actually use it. (Source: bbc.co.uk) The bug is somewhat similar to the heartbleed bug, which also suffers from SSL2 and SSL3 exploits.
That could be a problem for sites which have developed by adding code and technologies over the years, rather than starting afresh with each new security technique. In particular, sites could be vulnerable if they still have old-fashioned email servers from the days before web-based email became more popular.
According to the researchers, in some specific cases it could be possible to breach a website's server in less than a minute using only a single PC. Even without the most favorable conditions, it would be possible to breach a server in around eight hours using a cloud computing service at a cost of around $440. (Source: zdnet.com)
Hackers Could Intercept 'Secure' Data
Attackers who successfully exploit the vulnerability could be able to pull off a "man-in-the-middle" attack. That effectively means they reroute and intercept secure communications between a website and a visitor. Not only does this mean the attacker could see personal details that should be encrypted, but they are unlikely to be detected in doing so.
It's down to site operators to fix the problem, but you can check if a website appears vulnerable using a tool at https://test.drownattack.com. However, the scan results may not update immediately, even if the web site has recently been patched.
What's Your Opinion?
Are any sites you regularly use for sensitive data affected by Drown? Do sites need to do more to remove outdated technologies that could be compromised? Are you generally confident in using secure sites?
Most popular articles
- Which Processor is Better: Intel or AMD? - Explained
- How to Prevent Ransomware in 2018 - 10 Steps
- 5 Best Anti Ransomware Software Free
- How to Fix: Computer / Network Infected with Ransomware (10 Steps)
- How to Fix: Your Computer is Infected, Call This Number (Scam)
- Scammed by Informatico Experts? Here's What to Do
- Scammed by Smart PC Experts? Here's What to Do
- Scammed by Right PC Experts? Here's What to Do
- Scammed by PC / Web Network Experts? Here's What to Do
- How to Fix: Windows Update Won't Update
- Explained: Do I need a VPN? Are VPNs Safe for Online Banking?
- Explained: VPN vs Proxy; What's the Difference?
- Explained: Difference Between VPN Server and VPN (Service)
- Forgot Password? How to: Reset Any Password: Windows Vista, 7, 8, 10
- How to: Use a Firewall to Block Full Screen Ads on Android
- Explained: Absolute Best way to Limit Data on Android
- Explained: Difference Between Dark Web, Deep Net, Darknet and More
- Explained: If I Reset Windows 10 will it Remove Malware?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.