Drown attack: how weakened encryption jeopardizes "secure" sites
http://www.theguardian.com/technology/2016/mar/02/secure-https-connections-data-passwords-drown-attack
<< Security researchers have developed a method of attacking "secure" connections that can be used to intercept and decrypt information being transmitted to some of the world's most popular email, news and entertainment services. The researchers, made up of a team from public universities, Google, and a number of groups devoted to the development of open source projects, say the attack relies on a flaw in an old piece of encryption technology.
The Drown attack method, or "Decrypting RSA with Obsolete and Weakened eNcryption", could affect up to one third of all websites that use secure connections – addresses prefixed by "https". It means the information visitors submit could be accessed and decrypted while it travels over the internet. Yahoo, BuzzFeed, Flickr and Samsung.com would all be susceptible, according to the researchers, as would a large number of the world's top 10,000 websites. Credit card data, passwords and other information handled by these websites could be compromised.
The team compared the Drown attack to previously revealed attacks called Freak, Poodle and Logjam, all of which were made possible by 1990s export laws that required US companies to deliberately weaken encryption algorithms used in products available overseas. These restrictions were eventually lifted, but the damage had already been done: now, two decades later, the compromised security can still be exploited.
"These three attacks targeting different flaws from export-grade cryptography from the 90s are the best natural experiment we have about the long-term damage to security that can come from deliberately weakening cryptography", said Nadia Heninger, an assistant computer and information science professor at the University of Pennsylvania and a member of the Drown attack research team. >>