DROWN exposes an old wound in HTTPS websites

News
2 Mar, 2016

A third of computers using the HTTPS protocol are vulnerable to the DROWN attack, researchers say

A vulnerability present in 33 per cent of all HTTPS servers is exposing thousands of sites to so-called DROWN attacks, letting hackers decrypt secure communications and access passwords, emails and credit card details.

DROWN stands for 'decrypting RSA with obsolete and weakened encryption', and it exploits servers that support SSLv2 connections, according to the university researchers who uncovered the flaw.

While modern servers and clients use the TLS encryption protocol, many still support SSLv2, which is known to be insecure but has not been considered a major issue until now.

All servers that allow SSLv2 connections are at risk from DROWN, as are servers whose private keys are used on another server that allows SSLv2 connections.

Popular sites affected by the vulnerability include Yahoo, Weibo and BuzzFeed, the cybersecurity researchers from universities in the US, Israel and Germany claim, but mail servers and TLS-dependent services are also at risk.

The researchers, who also include a Google security team member, urged operators of such servers to apply a fix for the flaw.

They said: "We have no reason to believe that DROWN has been exploited in the wild prior to this disclosure. Since the details of the vulnerability are now public, attackers may start exploiting it at any time."

The vulnerability is in part down to the US government's restrictions on strong cryptography before the late 1990s, the researchers said, meaning that this weaker cryptography is still supported by various servers today.

"Although these restrictions, evidently designed to make it easier for NSA to decrypt the communication of people abroad, were relaxed nearly 20 years ago, the weakened cryptography remains in the protocol specifications and continues to be support by many servers today, adding complexity – and the potential for catastrophic failure – to some of the internet's most important security features," they added.

The report was developed by researchers from Tel Aviv University, Munster University of Applied Sciences, Ruhr University Bochum, the University of Pennsylvania, the Hascat project, the University of Michigan, Two Sigma, Google, and the OpenSSL project.

They have not disclosed the code behind their theory, saying too many servers could be left open to attacks if they did so.

Tod Beardsley, security research manager at Rapid 7, said: "The attacker does have to be in a privileged position on the network in order to eavesdrop on a TLS session, and also needs to have already conducted some reconnaissance on the server-side infrastructure, but this is the nature of padding oracle attacks.

"While it's not Heartbleed, DROWN techniques do demonstrate the weaknesses inherent in legacy cryptography standards. Sysadmins should ensure that all their cryptographic services have truly disabled the old and deeply flawed SSLv2 protocol, and consider the cost and effort associated with providing unique private keys for their individual servers."

Read more about