“Drown” Attack

There is a great article written by Swati Khandelwal on the “Drown” attack.  It is yet another attack against OpenSSL. Swati writes:

“DROWN stands for “Decrypting RSA with Obsolete and Weakened eNcryption.”

DROWN is a cross-protocol attack that uses weaknesses in the SSLv2 implementation against transport layer security (TLS), and that can decrypt passively collected TLS sessions from up-to-date clients…It is a low cost attack that could decrypt your sensitive, secure HTTPS communications, including passwords and credit card details…

…and that too in a matter of hours or in some cases almost immediately, a team of 15 security researchers from various universities and the infosec community warned Tuesday.”
This is a great read including some diagrams on how it is carried out. Check it out here at: Hacker-News
Good Times !