Drown hack

Post Reply
Guest

Drown hack

Post by Guest » Wed Mar 02, 2016 10:19 pm

@All =
Please read and act
[cite]The experts said about a third of all computer servers using the HTTPS protocol - often represented by a padlock in web browsers - were vulnerable to so-called Drown attacks.

They warn that passwords, credit card numbers, emails and sensitive documents could all be stolen as a consequence.[/cite]



bbc.com/news/technology-35706730

Best Regards
Tool =
edit -
htxxtps://drownattack.com/#check

User avatar
A440
Posts: 2318
Joined: Sat Nov 20, 2010 1:56 am

RE: Drown hack

Post by A440 » Thu Mar 03, 2016 1:23 am

Damn!
A list of vulnerable sites:
[red]
ebay.com
asos.com (clothing)

User avatar
A440
Posts: 2318
Joined: Sat Nov 20, 2010 1:56 am

RE: Drown hack

Post by A440 » Thu Mar 03, 2016 2:11 am

Another important point from the article:
. . . The SSLv2 protocol was deliberately weakened because, at the time of its creation, the US government wanted to try to restrict the availability of tough encryption standards to other countries.
This is precisely why the US Government should not be allowed to over-ride security and encryption concerns of IT companies

User avatar
Apollo702
Posts: 616
Joined: Thu Sep 12, 2013 4:40 pm

RE: Drown hack

Post by Apollo702 » Thu Mar 03, 2016 3:09 am

[green] I read the list and it practically is a who's-who of tech sites. Considering the fact that I have thousands of bookmarks on my list I think that my blood pressure just went up a notch...[/green]

EDIT:[green] I just bookmarked the checker and entered a series of major sites in there and they all came up [/green][red] guilty guilty guilty[/red][green].

It is far far more than [/green][yellow]Feebay[/yellow][green]. It is practically the entire internet![/green]

User avatar
A440
Posts: 2318
Joined: Sat Nov 20, 2010 1:56 am

RE: Drown hack

Post by A440 » Thu Mar 03, 2016 5:54 am

[red]samsung.com[/red]
. . . and that is a lot of samsung sites too:

test.drownattack.com/?site=samsung.com

Guest

RE: Drown hack

Post by Guest » Thu Mar 03, 2016 1:37 pm

@A440 and Apollo and anyone that may want to tackle it =
Should I upgrade to the latest OpenSSL version?

In short: yes, everyone should upgrade. You can mitigate DROWN completely with a configuration change. But today’s release fixes a number of other vulnerabilities, and we cannot emphasize the importance of timely upgrades enough
htxxtps://wwxw.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown
Do I need to update my browser?

No. There is nothing practical that web browsers or other client software can do to prevent DROWN. Only server operators are able to take action to protect against the attack.
httxxps://drownattack.com/#question-answer
Who is right?
I have a firewall that allows filtering of SSLv2 traffic. Should I filter that traffic?

Yes, that’s a reasonable precaution, although it will also prevent our scanners from being able to help you identify vulnerable servers
httxxps://drownattack.com/#question-answer

Any that you will recommend?

[green][cite]Results for mywot.com

We have not identified any vulnerable servers matching this name[/cite][/green]

httxxps://test.drownattack.com/?site=mywot.com

I spent most of the night trying to understand what I read, but @WOT we have members that can make a difference, I invite them to help with their knowledge, from every nation or any nation

@A440 =

[cite]This is precisely why the US Government should not be allowed to over-ride security and encryption concerns of IT companies[/cite]

I fully agree

Is high time to ask those who want to serve us as our president, what do they have in mind to stop this, and because I love this country, I am voicing my anger at the media and politicians
We are in trouble, but we can make it right

This is a universal right and is being violated by the government that attacks other nations, but at the same time is violating our constitution by doing what they find objectionable in China

I am not leaving my home, but I intend to express my opinion that our government needs to go back to the principle of serving it's people and follow the law of the land

I am sorry if I am not making sense now, I need to get some rest

Best regards

User avatar
williKi
Posts: 519
Joined: Thu Oct 01, 2015 6:52 pm

RE: Drown hack

Post by williKi » Thu Mar 03, 2016 2:40 pm

Just checked my work domain with the tool, not good. Sent an email to the security manager. Wow. thanks for the work.

User avatar
A440
Posts: 2318
Joined: Sat Nov 20, 2010 1:56 am

RE: Drown hack

Post by A440 » Tue Mar 29, 2016 4:52 am

[green]ASOS.com[/green] fixed theirs since I notified them. Great.

User avatar
hotdoge3
Posts: 866
Joined: Sat Jan 03, 2009 9:14 pm

RE: Drown hack HTTPS flaw proves we don't even test things

Post by hotdoge3 » Tue Mar 29, 2016 7:10 am

htxxtp://www.theregister.co.uk/2016/03/02/drown_ ... er_poodle/

Learn things? DROWN HTTPS flaw proves we don't even test things

You knew SSLv2 was poison, so why was it still there?

In the wake of the DROWN vulnerability, organisations like the Australian Signals Directorate that offer security incident mitigation strategies might consider adding another item to their lists: test your configuration to make sure it's what you expected

The DROWN flaw in HTTPS would not be anything to worry about, except that developers working on server-side software made the fatal assumption that since there were no clients left to request a deprecated SSL connection, they didn't need to update their code to kill older SSL completely.

We now know that assumption was wrong. DROWN is a cross-protocol attack: the buggy code in SSL v2 implementations is what enables the decryption attack on vastly more secure TLS encryption. This was compounded by a now-fixed bug that meant admins could configure a system thinking that SSLv2 was off, but have it sitting there still supported anyhow.

In other words: if you believed your configuration was secure without going back to test it, you may have ticked all the boxes in your “best practice” list and remain vulnerable.

Are people going back to run post-configuration tests? All too rarely, it seems. According to the Australian Communications and Media Authority's daily publication of a third-party's scan (Shadowserver, here) of the country's address space, a stunning 180,000 hosts here are still vulnerable to POODLE. Similar results are to be expectd around the world.

“if you had SSL v3 enabled it's your fault”. And sysadmins were already on notice: the POODLE vulnerability of 2014 was a get-rid-of-SSL warning.

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests