HTTPS DROWN attack vulnerability | General financial discussion | Discussion forum

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
sp_Search Search
Advanced Search
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Search Search
Go to Bottom
No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
HTTPS DROWN attack vulnerability
March 2, 2016
12:39 pm
SlowPoke
Member
Members
Forum Posts: 51
Member Since:
September 17, 2014
sp_UserOfflineSmall Offline
Go to Top
1sp_Permalink sp_Print

Hi All

Just a quick FYI on this issue

"DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS,"

"What can the attackers gain?
Any communication between users and the server. This typically includes, but is not limited to, usernames and passwords"

You may want to check sites using this tool pcf mobile app sites showed the vulnerability

https://drownattack.com/#check

March 4, 2016
8:44 am
Save2Retire@55
Member
Members
Forum Posts: 857
Member Since:
January 3, 2013
sp_UserOfflineSmall Offline
Go to Top
2sp_Permalink sp_Print

Very interesting and informative. I think we can't do anything about it as there is no more secured form of communication to be used these days. It sounds the server owners should take necessary measurements to protect information.

March 5, 2016
6:23 am
SlowPoke
Member
Members
Forum Posts: 51
Member Since:
September 17, 2014
sp_UserOfflineSmall Offline
Go to Top
3sp_Permalink sp_Print

It affects OpenSSL. Most banks do not use Opensource OpenSSL for there secure webbanking. However it appears PCF was vulnerable for its mobile app services, which have since been fixed

Several online shopping sites I checked are still using SSL v2 and vulnerable

Cheers

March 9, 2016
7:45 am
Save2Retire@55
Member
Members
Forum Posts: 857
Member Since:
January 3, 2013
sp_UserOfflineSmall Offline
Go to Top
4sp_Permalink sp_Print

Thanks for the update.

March 9, 2016
3:29 pm
ertyu
Member
Members
Forum Posts: 146
Member Since:
January 4, 2015
sp_UserOfflineSmall Offline
Go to Top
5sp_Permalink sp_Print

The real ugliness is that *any* server using the certificate that supports SSLv2 creates the vulnerability on *all* other servers using that same certificate, even if they don't support SSLv2.

No permission to create posts
sp_Feed All RSS
Go to top

Please write your comments in the forum.