In the digital world we live in, technologies are rapidly evolving. Cyber threats are not lagging behind. While developers build more and more complex programs, hackers find new, smarter ways to attack. New threats can break connections that were considered highly secure until recently. One specific and recent example are the so-called cross–protocol attacks. They make it possible for attackers to get access to very sensitive information like passwords, emails and financial data
At the core of cross-protocol attacks is exploiting the weaknesses in one protocol implementation against the others that are considered more secure. A relatively recent example of such threats is the DROWN attack, an acronym that stands for “decrypting RSA with obsolete and weakened encryption.” Last year, this attack proved that many of the most popular websites in the world are prone to be compromised. Web giants such as Yahoo, Alibaba, BuzzFeed, Flickr and others have been identified as vulnerable. All of them have secured connections, prefixed by “https,” and rely on the common encryption protocols — SSL and TLS — that protect the delicate data that flows between your browser and the web server.
Unfortunately, as is the case with most technologies, the SSL protocol has its imperfections. Due to its serious flaws, the first SSL version was actually never really released to the public. The second one, SSLv2, was released in 1995, and although it was considered stronger, it was also declared insecure. It was deprecated by the IETF. NIST, which is responsible for developing information security standards and guidelines, also requires government and federal systems to not use and support SSL versions 2.0 and 3.0. These are just some of the reasons why people avoid using SSLv2. But sadly, due to some misconfigurations, it is still supported by many servers. Today, the more secure TLS encryption is people’s first choice, but as it turns out, it also can be compromised.
The history and evolution of protocols are proof that encryption, cyber threats and technology are changing at breakneck speed. To ensure your company’s digital safety, taking a precaution is a must. Luckily, last year’s DROWN attack was developed not by hackers but by international security researchers who disclosed it in order to warn website owners about the danger.
The experts haven’t revealed a PoC or any code for the hack. But now that the possibility of cracking the encryption is a widespread fact, digital pirates might think of clever ways to replicate it and start exploiting it. Here are some actionable steps to ensure the online security of your business and to have peace of mind.