Approximately a third of all computer servers using the HTTPS protocol are at risk after researchers discovering a new way to disable their encryption protections.
The vulnerability known as a Drown attack leaves the servers at risk of having passwords, credit card numbers, emails and sensitive documents stolen.
A fix has been issued, though it will take some time for many of the website administrators to protect their systems.
A tool has been released to help identify websites that appear to be vulnerable.
At the moment, the researchers have not released the code used to prove their theory because “there are still too many servers vulnerable to the attack”.
Drown is an acronym for decrypting the Rivest-Shamir-Adleman (RSA) algorithm with obsolete and weakened encryption.
The SSLv2 protocol is the one affected and while clients – such as [web] browsers – have done away with SSLv2, many servers still support the protocol,” blogged Prof Matthew Green, from Johns Hopkins University.
“In most cases this is the result of careless server configuration.
“In others, the blame lies with crummy and obsolete embedded devices that haven’t seen a software update in years – and probably never will. ”
For an attach to be successful on a website, it would still require a considerable amount of computational force.
But, the researchers said, under normal circumstance, hackers could rent the required capacity from Amazon’s cloud compute division for as little as $440 (£314).
