The DROWN Attack and How To Stop It
A new cyber attack method, dubbed DROWN by its creators, is showing vulnerabilities in servers using old encryption methods like SSL and TLS that are found on millions of websites. The researchers explained the idea behind DROWN:
”DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS […] These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication.”.
Essentially, DROWN could affect almost anyone using any server. It’s indicated that 33% of ALL websites that use HTTPS are vulnerable, whereas 25% of the top one million websites are at risk, including high-traffic sites like Yahoo!. Once the encryption is broken, hackers could hypothetically steal everything from passwords to credit card numbers and other sensitive financial data.
So how do you know if you’re vulnerable? Servers that support SSLv2, an older form of weakened encryption, are at risk, along with those that share its private key with any other server that supports SSLv2.
One question many security analysts have been asking is “Hasn’t SSLv2 been a known vulnerability for a long time?”. The answer is yes, though many modern servers still support SSLv2, even if they don’t use it for anything. The DROWN team explains further:
”DROWN shows that merely allowing SSLv2, even if no legitimate clients ever use it, is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to any server that supports SSLv2 using the same private key.”
So how do you protect yourself and your company against a DROWN-type attack? Well that depends on what type of server you are using. The DROWN team has laid out instructions for a number of different server setups here.
The future of DROWN is a bit more of an unknown – it’s not out of the question that attackers may start using this type of attack now that they are aware of the high number of vulnerable servers. It’s estimated that a successful attack can occur in as little as an hour or as long as eight hours depending on the variant. Thankfully, these and other researchers are able to warn the public about these possibly security lapses. However, it’s our job to make sure to implement the right cyber security measures to counteract them.