acm-header
Sign In

Communications of the ACM

ACM TechNews

Web: Security Protocol Tls Compromised


A TLS logo

An international team of researchers has demonstrated that the TLS security protocol may be compromised in about a third of all servers.

Credit: SWHosting.com

Ruhr-University Bochum researchers are part of an international team that demonstrated in a third of all servers, the security protocol TLS and encrypted data transfer can be compromised, affecting all types of online communication that deal with sensitive data.

The researchers focused on SSLv2, the previous version of TLS. SSLv2, which is now considered insecure, is still lying dormant on many servers, although TLS has long been in use, according to Ruhr-University Bochum researcher Juraj Somorovsky. The previous versions have been mostly replaced, but never completely deleted, creating a gate through which TLS security mechanisms can be bypassed, thus leaving user names, passwords, credit card numbers, and financial data unprotected.

The researchers scanned the entire "https" network and found about 33 percent of all servers worldwide, approximately 11.5 million units, could be affected by the attack. "Due to an implementation error, we were able to do without the additional computing power when we tried out an alternative variation of the attack," Somorovsky says.

To protect servers from this kind of attack, he recommends Web administrators deactivate SSLv2 protocols from their servers. In addition, the researchers on March 1 launched the website www.drownattack.com on March 1, which features important security advice.

From Ruhr-University Bochum (Germany)
View Full Article

 

Abstracts Copyright © 2016 Information Inc., Bethesda, Maryland, USA


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account