[Cryptography] DROWN attack on SSLv2 enabled servers
mok-kong shen
mok-kong.shen at t-online.de
Thu Mar 3 03:22:26 EST 2016
Am 03.03.2016 um 04:03 schrieb Salz, Rich:
>> Paper is at https://www.drownattack.com/drown-attack-paper.pdf
>
> Folks also might find this worthwhile: https://www.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/
It is in my view remarkable that recently there are so many troubles
with open-source software that become known one after the other. Of
course the corresponding ones in closed-source software are by nature
in the dark. I wonder why the software community in the large and the
IT-security community in particular seem yet to have no active and
concrete initiatives to urgently start projects to fundamentally search
for countermeasures that are effective in practice. Certainly such
countermeasures would necessarily have non-trivial costs (efficiency
issues etc.), but I suppose there is no alternative to bearing the
costs at least for applications whose security is exactly a binary
variable, i.e. either there is security or there is none at all.
M. K. Shen
More information about the cryptography
mailing list