Latest Hacking News – ‘Thousands of popular sites‘ at risk of Drown attacks. Websites have been warned they could be exposed to eavesdroppers, after researchers discovered a new way to disable their encryption protections.Read Full Article and dont forget to share it “drown attack hacks thousands popular websites”
The experts said about a third of all computer servers using the HTTPS protocol – often represented by a padlock in web browsers – were vulnerable to so-called Drown attacks.
They warn that passwords, credit card numbers, emails and sensitive documents could all be stolen as a consequence.A fix has been issued.
According To iTechHacks News Network, it will take some time for many of the website administrators to protect their systems.
The researchers have released a tool that identifies websites that appear to be vulnerable.
They said they had not released the code used to prove their theory because “there are still too many servers vulnerable to the attack“.
As yet, there is no evidence hackers have worked out how to replicate their technique.
An independent expert said he had no doubt the problem was real.
“What is shocking about this is that they have found a way to use a very old fault that we have known about since 1998,” said Prof Alan Woodward, from the University of Surrey.
“And all this was perfectly avoidable.
“It is a result of us having used deliberately weakened encryption, which people broke years ago, and it is now coming back to haunt us.“
To mount a successful attack on a website would still require a considerable amount of computational force.
But, the researchers said, under normal circumstance, hackers could rent the required capacity from Amazon’s cloud compute division for as little as $440 (£314).
In addition, because many of the servers vulnerable to Drown were also affected by a separate bug, a successful attack could be carried out using a home computer.
Also Read: Send Documents in WhatsApp Chat (New)
“This form of the attack is fast enough to allow an online man-in-the-middle style of attack, where the attacker can impersonate a vulnerable server to the victim,” the researchers wrote.
“We were able to execute this form of the attack in under a minute on a single PC.”
The researchers said many popular sites – including ones belonging to Samsung, Yahoo and a leading Indian bank – appeared to be vulnerable.
“The weakness is actually in the old Pop3 server,” he said.
“Few people still use Pop3, but it means that things like your password reset server could theoretically be eavesdropped upon.”