"The OpenSSL project has released versions 1.0.2g and 1.0.1s to
address a high severity security issue known as the DROWN attack
(CVE-2016-0800) which allows attackers to break HTTPS and steal
encrypted information. In layman terms, the attack uses an improperly
patched issue (from 1998) in SSL to attack websites using the more
modern TLS protocol. Servers where admins use SSL and TLS are in
danger. Additionally, servers where only TLS is used, but the admins
are sharing the same certificate for other servers where they have
SSL, are also vulnerable, since the attack targets RSA, employed in
both SSL and TLS. The entire attack is also easy to carry out, costing
only $440 on Amazon EC2."
-- source: http://it.slashdot.org/story/16/03/01/1743237
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174
http://www.cms.waikato.ac.nz/~fracpete/http://www.data-mining.co.nz/
