Deep Sec2016 Talk: DROWN – Breaking TLS using SSLv2 – Nimrod Aviram
In the past years encrypted communication has been subject to intense scrutiny by researchers. With the advent of Transport Layer Security (TLS) Internet communication via HTTP became a lot more secure. Its predecessor Secure Sockets Layer (SSL) must not be used any more. The real world has its own ideas. SSLv2 and SSLv3 is still present. Attackers can try to downgrade the TLS session by switching to insecure ciphers. When using the correct configuration, these downgrade attacks cannot happen. The question is: Are all of your devices, applications, and systems correctly configure? If you are not sure, better check again. In order to illustrate how these attacks work, we have invited Nimrod Aviram for DeepSec 2016. He will explain the inner workings of the DROWN attack. We present a novel cross-protocol attack on TLS