Drown Vulnerability Demonstrates Intentional Weak Crypto Leaving Websites At Risk

By Samir Ghanmi | Mar 03, 2016 11:22 AM EST

TEXT SIZE    

This dates back to the 1990's encryption backdoors that is making a comeback to the industry 20 years after to what it's now called Drown.

What researchers found with the flaw of the Drown goes back to the 1990's Crypto Wars during Bill Clinton's administration where he demanded the US government to find a way to break the encryption that was being exported outside the country.

The cryptography's debate now is still as raw as it was before, like the fight between the FBI and Apple. Privacy advocates suggested that strong encryption secures networks from prying eyes, where security experts says that backdoors puts encryption at risk for criminals to exploit, it also adds less security for anyone if the government is left without the facility to bypass encryption in order to catch criminals.

Drown flaw has revealed this Tuesday to an open attack that could put over 11 million websites at risk by means of decrypt TLS and SSL traffic. This flaw can utilize the protocol of transport layer security by triggering a deadly handshake tie to the SSLv2 used to decode the TLS session. A related use of export-grade cryptography exploits a feature into the SSLv2 causing the attack.

Director of engineering at Qualys and SSL expert Ivan Ristic says, "When they created SSLv2 they created a special version. They intentionally weakened it,"

Ristic added that the version was intentionally weakened to allow the US government to break in access to the encryption if necessary.

Security experts showed concern to the demand of the FBI to create a backdoor to Apple's iPhone encryption, also adding to the argument that cracked encryption could lead to unintended consequences.

A cryptographer and professor at John Hopkins University Matt Green said it was an invaluable lesson relating to the attacks on SSLv2. Green showed concerns to the Drown flaw in a blog post saying, "The most truly awful bits stem from the fact that the SSLv2 designers were forced to ruin their own protocol. This was the result of needing to satisfy the U.S. government's misguided attempt to control the export of cryptography. Rather than using only secure encryption, the designers were forced to build in a series of export-grade cipher suites, that offered abysmal 40-bit session keys and other nonsense."

pre post  |  next post
More Sections