Talk:DROWN attack

This article has not yet been rated on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Please add the quality rating to the {{WikiProject banner shell}} template instead of this project banner. See WP:PIQA for details. Computer Security: Computing High‑importance This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Computer SecurityWikipedia:WikiProject Computer SecurityTemplate:WikiProject Computer SecurityComputer Security High This article has been rated as High-importance on the project's importance scale. This article is supported by WikiProject Computing (assessed as High-importance). Things you can help WikiProject Computer Security with: Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information... Review importance and quality of existing articles Identify categories related to Computer Security Tag related articles Identify articles for creation (see also: Article requests) Identify articles for improvement Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc. Find editors who have shown interest in this subject and ask them to take a look here. Please add the quality rating to the {{WikiProject banner shell}} template instead of this project banner. See WP:PIQA for details. Computing Mid‑importance This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing Mid This article has been rated as Mid-importance on the project's importance scale.

This stub needs a lot of expansion. But at least it's a start. -- Markshale (talk) 00:51, 2 March 2016 (UTC)[reply]

Hello, this article reveals a recent vulnerability causing use of SSL 2.0 to be discouraged by OpenSSL and others. I think the author should include some material for the less technical user. I would include the following points. I would also expand upon significance

In order to preserve confidentiality, sensitive data must be encrypted. One method of encryption is RSA. RSA was considered to be difficult to break but with newer computers which includes GPUs and multicare to quantum computers it was easier to break. When it was invented people were overconfident in the key size and math complexity and used RSA just to setup a secure socket rather than for all data trsnsmission unless AES is used like it is for media streaming. SSL encrypts data at the transport layer and above and dates from the 1990s. It is used with https traffic. It is also used for local network traffic authentication as well as some VPN traffic which allow remote users to access a network. The predictability of short traffic can cause confidentiality issues. SSL uses RSA encryption. With SSL is not a control for who recieves the public key making it ideal for internet use. Knowing the private way is the only way to decrypt it. The DROWN (decrypting RSA with obsolete and weakened eNcryption) "allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, and financial data". To mitegate turn off SSL v2 and make sure private keys are not used as public keys.

TLS uses an RSA algorithm of 1024 and 2048 bits and is the successor to SSL TLS and the downgraded SSL uses the same key generated from multiplying two large prime numbers.

Some older devices are not able to do TLS 1.2 and eliminating SSL v2 trades usability for security. Robwahl (talk) 23:18, 12 September 2017 (UTC)[reply]