Talk:DROWN attack

This article has not yet been rated on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Please add the quality rating to the {{WikiProject banner shell}} template instead of this project banner. See WP:PIQA for details. Computer Security: Computing High‑importance This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Computer SecurityWikipedia:WikiProject Computer SecurityTemplate:WikiProject Computer SecurityComputer Security High This article has been rated as High-importance on the project's importance scale. This article is supported by WikiProject Computing (assessed as High-importance). Things you can help WikiProject Computer Security with: Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information... Review importance and quality of existing articles Identify categories related to Computer Security Tag related articles Identify articles for creation (see also: Article requests) Identify articles for improvement Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc. Find editors who have shown interest in this subject and ask them to take a look here. Please add the quality rating to the {{WikiProject banner shell}} template instead of this project banner. See WP:PIQA for details. Computing Mid‑importance This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing Mid This article has been rated as Mid-importance on the project's importance scale.

This stub needs a lot of expansion. But at least it's a start. -- Markshale (talk) 00:51, 2 March 2016 (UTC)[reply]

Hello, this article reveals a recent vulnerability causing use of SSL 2.0 to be discouraged by OpenSSL and others. I think the author should include some material for the less technical user. I would include the following points. I would also expand upon significance

In order to preserve confidentiality of often personal information, sensitive data must be encrypted to prevent it from being sniffed or read by an unwelcome party. One method of encryption is RSA. One implementation that uses RSA is SSL. SSL encrypts data at the transport layer and above and was invented in the 1990s. When the internet browser visits a site using HTTPS, SSL is used. It is also used for local network traffic authentication as well as some VPN traffic which allow remote users to access a network for example, when the user is away from the office that user can access the computer system in the office. SSL does not have a control for who recieves the public key making it ideal for internet use. Knowing the private key is the only way to decrypt it. RSA was once considered to be difficult to break but with newer computers which includes GPUs and multicore to quantum computers it was easier to break. When RSA was invented people were overconfident in the key size and math complexity and used RSA just to setup a secure socket rather than for all data trsnsmission unless AES is used like it is for media streaming because it required additional work from the computer's processor. Because the application only uses it for short commands which are predictable, eavesdroppers can use DROWN attacks to figure out what is said. The DROWN (decrypting RSA with obsolete and weakened eNcryption) "allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, and financial data". To mitegate turn off SSL v2 and make sure private keys are not used as public keys. However, this cannot always be done because some older devices are not able to do TLS 1.2 and eliminating SSL v2 trades usability for security.

TLS uses an RSA algorithm of 1024 and 2048 bits and is the successor to SSL TLS and the downgraded SSL uses the same key generated from multiplying two large prime numbers

Robwahl (talk) 23:18, 12 September 2017 (UTC)[reply]