Do you have faith in the little green padlock symbol in your browser's URL bar during online banking? You should be careful: in one third of all servers worldwide, the internationally approved security protocol TLS and encrypted data transfer can be compromised. All types of online communication that deal with sensitive data are affected: online banking, online shopping, eGoverment services and our entire email communication. This has been demonstrated in a current study, to which Horst Görtz Institute for IT Security at Ruhr-Universität Bochum has significantly contributed.
Passwords are unprotected
For their cryptographic attack, the international research team have banked on an old friend: "SSLv2" is the previous version of the current security protocol TLS and is now considered insecure. "SSLv2 is lying dormant on many servers, even though TLS has long been in use," says Juraj Somorovsky from Horst Görtz Institute in Bochum. The old versions have been mostly replaced, but never completely deleted. A grave error, as it turns out: it creates a gate through which TLS security mechanisms can be bypassed, thus leaving user names, passwords, credit card numbers and financial data unprotected.
33 per cent of all servers are affected
The researchers have scanned the entire https network and have found out that approx. 33 per cent of all servers worldwide, i.e. 11.5 million units, have been affected by their attack. A mere 440 US dollars are required to carry out an attack. The researchers invested them to rent graphic cards with high computing power for their attacks in an AMAZON cloud. "Due to an implementation error, we were able to do without the additional computing power when we tried out an alternative variation of the attack," relates Somorovsky. The free-of-cost tactics still works in 26 per cent of all servers worldwide.
Protection is possible
"It is possible to protect yourself from attacks of that kind," says Somorovsky. First, web administrators should deactivate SSLv2 protocols on their servers. In addition, the researchers launched the website www.drownattack.com on March 1, 2016, featuring important security advice. Everyone can use it to test if their own webpage is safe. The thus detected security problem is a shameful leftover: twenty years ago, the SSLv2 standard was deliberately launched as a not fully secure version due to cryptography export regulations. "We must learn from the mistakes of the past," concludes Somorovsky. "Politically and economically independent Internet security standards are indispensable!"
In the last months, the team manned by Juraj Somorovsky, Susanne Engels and Prof Christof Paar from Horst Görtz Institute at Ruhr-Universität Bochum collaborated with researchers from the universities in Münster, Tel Aviv, Pennsylvania and Michigan, and with researchers from the Hashcat project and OpenSSL. Titled DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), the attack will be a key issue discussed at the der RuhrSec conference in Bochum on April 29, 2016.
Cite This Page: