SSLv2 – The “Drown” Attack

Just recently there has been a lot of news regarding a vulnerability with SSLv2 (SSL2.0) and what has been named the Drown Attack. You will see articles saying “Drown Attack effects over 1/3 of the worlds websites, ” “No one is secure on the internet anymore,”  More than a Million sites effected!” etc.. the list goes on and on. Allow me to calm some fears you may have.. Unless your have NOT touched your server system since 2011 then don’t worry. SSLv2 which was created back in 1995 was considered an obsolete protocol back in 2011, and more than likely you are not using it. Because the following… Browsers such as Chrome have by default put a stop to the use of this […]

Read More

OpenSSL patch released that fixes High-severity Diffie Hellman bug

OpenSSL has fixed a high-severity vulnerability that made it possible for attackers to obtain the key that decrypts communications secured in HTTPS based on the ephemeral keys, DSA based Diffie Hellman (DH) key exchange. The OpenSSL Diffie Hellman issue got assigned CVE-2016-0701 with a severity of High. This vulnerability could allow an attacker to force the peer to perform multiple handshakes using the same private Diffie Hellman key component. Meaning they could use this flaw to conduct man-in-the-middle attacks on the SSL/TLS connection. OpenSSL released on 28-Jan-2016 their Security Advisory regarding the fixes on their website OpenSSL.org. OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses […]

Read More

SHA 1 Critical Vulnerability Notice

On October 8, 2015, a team of international cryptography researchers warned of a significantly increased risk in using SHA-1 certificates, and recommended that administrators accelerate their migration to SHA-2 certificates. The risk is that, with enough computing power, an attacker can craft a fake certificate that in all key respects appears to be signed by a public Certification Authority (it cryptographically chains up to a Certification Authority’s root certificate). This doesn’t mean that websites is suddenly insecure, but it certainly is a wake-up call. The current policy of most browsers stipulates that they will completely reject SHA-1 TLS certificates on January 1, 2017. However, in light of these new findings, it’s highly possible the deadline will be accelerated. If your […]

Read More

How to fix Alternative chains certificate forgery (CVE-2015-1793)

How to fix Alternative chains certificate forgery (CVE-2015-1793):Critical OpenSSL vulnerability could allow attackers to intercept secure communications. What is it: An error in the implementation of the alternative certificate chain logic could allow an attacker to cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate. Reported by Adam Langley and David Benjamin (Google/BoringSSL).Fixed in OpenSSL 1.0.2d (Affected 1.0.2c, 1.0.2b)Fixed in OpenSSL 1.0.1p (Affected 1.0.1o, 1.0.1n) ===================================================================== How to Fix it: Alternative chains certificate forgery (CVE-2015-1793) ==================================================================== Severity: High During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if […]

Read More

OpenSSL: Alternative Chains Certificate Forgery Vulnerability (CVE-2015-1793)

Critical OpenSSL vulnerability could allow attackers to intercept secure communications with the new Alternative Chains Certificate Forgery Vulnerability (CVE-2015-1793) A critical new vulnerability in OpenSSL could allow attackers to intercept secure communications by tricking a targeted computer into accepting a bogus digital certificate as valid. This could facilitate man-in-the-middle (MITM) attacks, where attackers could listen in on connections with secure services such as banks or email services. OpenSSL is one of the most widely used implementations of the SSL and TLS cryptographic protocols. Open-source software, it is used widely on internet-facing devices, including two thirds of all web servers. The new Alternative Chains Certificate Forgery Vulnerability (CVE-2015-1793) was patched today in a security update issued by the OpenSSL project (https://www.openssl.org/news/secadv_20150709.txt) […]

Read More

The FREAK Vulnerability.

The FREAK Vulnerability, What is happening? A new SSL/TLS vulnerability named “FREAK” was identified by several security researchers. This threat allows an attacker to get between a client and server and view what is intended to be a secure and private communication. The vulnerability is primarily due to a bug in OpenSSL client software, but only exploitable on poorly-configured web servers. Both clients and servers are at risk. Website owners can protect their sites by properly configuring their web servers by removing affected ciphers and restarting their servers. Note that this vulnerability is not related to SSL certificates. Your existing certificate will continue to work as intended. No certificate replacement is needed. Why should a Acmetek Customer or Partner care? […]

Read More