DROWN exposes an old wound in HTTPS websites

A third of computers using the HTTPS protocol are vulnerable to the DROWN attack, researchers say

A vulnerability present in 33 per cent of all HTTPS servers is exposing thousands of sites to so-called DROWN attacks, letting hackers decrypt secure communications and access passwords, emails and credit card details.

DROWN stands for 'decrypting RSA with obsolete and weakened encryption', and it exploits servers that support SSLv2 connections, according to the university researchers who uncovered the flaw.

Advertisement - Article continues below

While modern servers and clients use the TLS encryption protocol, many still support SSLv2, which is known to be insecure but has not been considered a major issue until now.

All servers that allow SSLv2 connections are at risk from DROWN, as are servers whose private keys are used on another server that allows SSLv2 connections.

Popular sites affected by the vulnerability include Yahoo, Weibo and BuzzFeed, the cybersecurity researchers from universities in the US, Israel and Germany claim, but mail servers and TLS-dependent services are also at risk.

The researchers, who also include a Google security team member, urged operators of such servers to apply a fix for the flaw.

They said: "We have no reason to believe that DROWN has been exploited in the wild prior to this disclosure. Since the details of the vulnerability are now public, attackers may start exploiting it at any time."

Advertisement
Advertisement - Article continues below

The vulnerability is in part down to the US government's restrictions on strong cryptography before the late 1990s, the researchers said, meaning that this weaker cryptography is still supported by various servers today.

Advertisement - Article continues below

"Although these restrictions, evidently designed to make it easier for NSA to decrypt the communication of people abroad, were relaxed nearly 20 years ago, the weakened cryptography remains in the protocol specifications and continues to be support by many servers today, adding complexity and the potential for catastrophic failure to some of the internet's most important security features," they added.

The report was developed by researchers from Tel Aviv University, Munster University of Applied Sciences, Ruhr University Bochum, the University of Pennsylvania, the Hascat project, the University of Michigan, Two Sigma, Google, and the OpenSSL project.

They have not disclosed the code behind their theory, saying too many servers could be left open to attacks if they did so.

Tod Beardsley, security research manager at Rapid 7, said: "The attacker does have to be in a privileged position on the network in order to eavesdrop on a TLS session, and also needs to have already conducted some reconnaissance on the server-side infrastructure, but this is the nature of padding oracle attacks.

Advertisement - Article continues below

"While it's not Heartbleed, DROWN techniques do demonstrate the weaknesses inherent in legacy cryptography standards. Sysadmins should ensure that all their cryptographic services have truly disabled the old and deeply flawed SSLv2 protocol, and consider the cost and effort associated with providing unique private keys for their individual servers."

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement

Recommended

Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Australia announces $1.35 billion investment in cyber security
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
CSA and ISSA form cyber security partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do I fix the Windows 10 Start Menu if it's frozen?
operating systems

How do I fix the Windows 10 Start Menu if it's frozen?

3 Aug 2020