|
|
Пишет LWN.net (![[info]](http://lj.rossia.org/img/syndicated.gif){kind=small} syn_lwnheadline)@ 2016-03-01 14:59:00 |
 |
|
 |
|
|
|
|
|
|
 |
|
 |
An OpenSSL advisory and the "DROWN" attack
The OpenSSL project has disclosed a new
high-profile vulnerability. This one, known as CVE-2016-800, or "DROWN", affects servers that still
have the old SSLv2 protocol enabled. Yes, it has its own domain name and
logo. "DROWN allows attackers to break the encryption and read or
steal sensitive communications, including passwords, credit card numbers,
trade secrets, or financial data. Our measurements indicate 33% of all
HTTPS servers are vulnerable to the attack." The solution is to
just disable SSLv2 completely. Note that there are several other
vulnerabilities (with a lower presumed severity) fixed in the OpenSSL
1.0.2g and 1.0.1s releases.
The OpenSSL project has disclosed a new
high-profile vulnerability. This one, known as CVE-2016-800, or "DROWN", affects servers that still
have the old SSLv2 protocol enabled. Yes, it has its own domain name and
logo. "DROWN allows attackers to break the encryption and read or
steal sensitive communications, including passwords, credit card numbers,
trade secrets, or financial data. Our measurements indicate 33% of all
HTTPS servers are vulnerable to the attack." The solution is to
just disable SSLv2 completely. Note that there are several other
vulnerabilities (with a lower presumed severity) fixed in the OpenSSL
1.0.2g and 1.0.1s releases.
