DROWN SSL Attack – Millions of OpenSSL Secured Websites at Risk

3 Mar 2016

Drown SSL Attack is a recently discovered OpenSSL security hole enables a long deprecated security protocol, Secure Sockets Layer (SSLv2), to be used to attack modern web sites. This is just another reason why it is so important to keep your applications up to date. Using deprecated protocols is always an open invitation for malicious hackers to single you out and attack. An attack exploiting this, dubbed DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), is estimated to be able to kill off at 33% of all HTTPS servers.

SSL Attack

What is DROWN? What can Attackers Gain Access To?

The DROWN SSL Attack is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. The attackers are able to break the encryption and steal sensitive information such as credit cards, financial data, passwords, or other private business and personal information.

Who is Vulnerable?

Any TLS dependent services are at risk for the DROWN SSL Attack. This includes mail servers, websites, and other services using the TLS protocol. Even some of Alexa’s leading web sites are vulnerable to DROWN-based man-in-the-middle attacks, including Yahoo, Sina, and Alibaba. Due to its popularity, the open-source OpenSSL is the most obvious target for DROWNing, but it’s not alone.

Is my Website Vulernable to the DROWN SSL Attack?

Modern servers and clients use the TLS encryption protocol. However, due to misconfigurations, many servers also still support SSLv2, a 1990s-era predecessor to TLS.This support did not matter in practice, since no up-to-date clients actually use SSLv2. Therefore, even though SSLv2 is known to be badly insecure, until now, merely supporting SSLv2 was not considered a security problem, because clients never used it. You can find out if your website is vulnerable to DROWN using the DROWN Attack Test Site.

How can I Protect Myself?

To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS. You can use this form above to check whether your server appears to be exposed to the attack. Disabling SSLv2 can be complicated and depends on the server software installed. Unless you are a seasoned sever administrator we recommend getting a skilled professional involved. Here are some instructions for some popular server applications to get you started Apache, Postfix, Nginx.

Leave a Reply

Your email address will not be published. Required fields are marked *