A recently discovered OpenSSL security hole enables an ancient, long deprecated security protocol, Secure Sockets Layer (SSLv2), to be used to attack modern web sites.
An attack exploiting this, dubbed DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), is estimated to be able to kill off at least one-third of all HTTPS servers.
According to the researchers who found the flaw, that could amount to as many as 11.5 million servers.
How bad is DROWN really? Some of Alexa’s leading web sites are vulnerable to DROWN-based man-in-the-middle attacks, including Yahoo, Sina, and Alibaba.
Besides the OpenSSL patches, which are available as source code, other firms, including Canonical, Red Hat, and SUSE Linux, will all be delivering the patches shortly.
Submitted by: Arnfried Walbrecht