New Hack That 33 percents of Secure Websites Are Vulnerable to Can Be Thwarted By VPN




Another day, another new security hack. A 2015 study by the company Risk Based Security cataloged a total of 14,185 computer security vulnerabilities for last year. And 60% of them were for exploiting web-related technology – the sort that can be thwarted by VPN. I honestly don't know how computer security experts do it. It makes me tired just thinking about having to patch up all those holes.


2016 has thoughtfully brought us a new hack that's used against secure websites, and up to 33% of all secure sites may be vulnerable. Thanks, 2016! But at least this hack has a cool nickname. It's called DROWN, which I think would be a great code name for an evil mastermind in a James Bond film. Fortunately for us, the hack can be thwarted by a VPN service that uses the correct security protocols. Let's take a closer look at it.


What Does a Secure Website Mean?


Even if you don't know it, you've used secure websites on many occasions. Facebook, for example, is a secure website. So is Twitter. And so is Amazon, your bank's website, and the browser-based version of your favorite email provider (think Gmail, Yahoo!, or Apple). There's an easy way to tell when you're on a secure website. The URL in your browser's address bar will start with “https” instead of “http.” You will usually see a tiny lock icon in the address bar as well. HTTPS is the encrypted version of Hypertext Transfer Protocol (HTTP), the main communications protocol used on the Internet.


HTTPS incorporates a protocol named Transport Layer Security (TLS), and/or its predecessor, Secure Sockets Layer (SSL). Combining these protocols with HTTP results in communications that are kept private due to encryption that uses a secret parameter called a cryptography key, which is verified by your computer and the website before the any data is transmitted. This key makes the communications channel reliable by establishing the identities of the parties, and by using message integrity checking that detects loss or alteration of data during transmission.


33% of Secure Websites Are Vulnerable to This New Hack


As I said before, the new secure website hack is named DROWN, which stands for “Decrypting RSA with Obsolete and Weakened eNcryption.” Up to 11 million secure websites may be vulnerable to it because they use an encryption library called Open Secure Sockets Layer (OpenSSL). OpenSSL contains an old version of the SSL protocol named SSL Version 2 (SSLv2), which is a dinosaur harkening back to the 90s and has long since been abandoned in favor of TLS. However, SSLv2 is still part of OpenSSL, which also contains TLS, because TLS is much more secure.


And that's what makes OpenSSL vulnerable to a DROWN attack, the fact that it still has the outdated encryption protocol SSLv2. However, SSLv2 does not make OpenSSL vulnerable in and of itself. It's vulnerable because SSLv2 can be used to attack TLS and decipher its private cryptography key. This is then used to decrypt the entire data stream flowing back and forth between your computer and a secure website. DROWN is fairly sophisticated because it uses a weak protocol to attack another, much stronger protocol. This is known as a cross-protocol attack.


Why Should You Care About DROWN?


You should care about it because DROWN can expose very sensitive personal data, like passwords or credit card information. Although you may not have realized it, you're using a secure website with TLS/SSL type encryption every time you do anything online that involves finances. Online banking, online shopping, credit score research, and a whole slew of other activities all take place via these protocols. And some of the 10,000 most popular websites in the world (some of which you may use every day) are also open to DROWN attacks, including Yahoo!, Buzz Feed, Daily Motion, and the Weather Channel. Keep in mind that very popular websites are more or less constantly under some sort of attack because they're large, inviting targets.


DROWN is a type of Man-in-the-Middle (MITM) attack. MITM attacks in general involve the eavesdropping of a third party on private conversations they weren't invited to. In the case of DROWN, the “conversation” is the private communication between your computer and a secure website via the encrypted tunnel created by OpenSSL, TLS, and SSLv2. The “third party” is anyone who can use SSLv2 to attack TLS and decrypt the tunnel, thereby exposing and capturing the data stream. This is very bad news for you if you're typing passwords, social security numbers, or credit card information into a supposedly secure website. Your extremely sensitive personal data could be seen and copied. And the worst part is, you'd never ever know it was happening.


How Can VPN Thwart This New Secure Website Hack?


VPN can thwart DROWN because VPN itself creates a secure communications tunnel. When using VPN on a secure website, two encrypted tunnels are operating simultaneously, the TLS/SSLv2 tunnel and the VPN tunnel. Think of it as a large pipe with a smaller pipe inside of it. The outside pipe is the secure website tunnel. The inner pipe is the VPN tunnel. Your data flows through the inner pipe, and is still kept private even if the outer pipe collapses under a DROWN attack. As long as your VPN is operating smoothly, your data should remain encrypted, anonymous, and secure.


I've been known to get careless on occasion by not using VPN while shopping or paying bills online. Sloppy, I know. My reasoning was that as long as I was on a private, password-protected Internet connection, I didn't really need VPN because my data was already safe, protected by the secure website tunnel. Turns out the sites I assumed were already secure may not be nearly as secure as I believed.


I'm glad, in a way, because it reiterated a lesson I thought I'd learned a long time ago, namely, that good cyber security is achieved in layers. Those layers include security-conscious behavior as well as layers of security technology. DROWN has shown me an area in which I just assumed I was secure. And you know what they say about what happens when you assume: You make an “ass” out of “u” and “me.” I'm a pretty sly old dog, but I still got complacent without realizing it. Don't let DROWN make you that way too.