DROWN attack sinks security for millions of websites

Security researchers reveal new technique to break TLS using SSLv2 server.

DROWN attack sinks security for millions of websites
Credit: Victor Cruz

The war to close down security vulnerabilities is never-ending, but the new “DROWN” vulnerability is one of the biggest to rear its ugly head in recent months.

A group of security researchers from a number of different universities and research institutes just unveiled this vulnerability, which they say could affect 33% of all HTTPS servers. That potentially exposes around 11.5 million HTTPS servers worldwide plus other services reliant on SSL and TLS encryption.

“These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication,” explain the researchers on the Drown Attack website. “DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data.”

There’s no action that concerned users can take to guard against the attack, apart from avoiding vulnerable websites. That means server admins and IT staff really need to look into this vulnerability and take action quickly. Many extremely popular websites are vulnerable, according to the DROWN Attack website, including AutoTrader, Yahoo, Weather.com, and CNBC. (This DROWN site also allows you to check whether your own server appears to be vulnerable.)

How does DROWN work?

If you’re wondering, DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption. In the paper, DROWN: Breaking TLS using SSLv2, the researchers describe the method as a “cross-protocol attack that can decrypt passively collected TLS sessions from up to-date clients by using a server supporting SSLv2 as a Bleichenbacher RSA padding oracle.”

The problem afflicts servers and clients using the TLS encryption protocol that are misconfigured to support the obsolete SSLv2 standard. If the server allows SSLv2 connections or its private key can be used on another server that allows SSLv2 connections, then it’s vulnerable to the DROWN attack.

The attack is able to “decrypt a TLS 1.2 handshake using 2048-bit RSA in under 8 hours using Amazon EC2, at a cost of $440.” But the researchers say that combining the attack with another newly discovered vulnerability in OpenSSL, present in releases from 1998 to early 2015, makes even cheaper attacks possible.

Legacy support for outdated protocols like this is at the heart of the flaw. Many felt that there was no point in disabling SSLv2 because no browsers were using it anyway. It was originally released in 1995, but quickly phased out because of significant weaknesses. DROWN proves that even obsolete cryptography can be dangerous.

Misconfiguration or inappropriate default settings are what’s enabling attackers to exploit it, and SSLv2 support should be completely disabled. Misconfigurations and unpatched software continue to be the main culprits in serious data breaches over the last few years. Known vulnerabilities pose the biggest IT security threats because most companies are very slow to address them. Even two months after the Heartbleed vulnerability was revealed in 2014, the Errata Security blog revealed that 300,000 servers were still vulnerable to it.

What action to take

Disabling SSLv2 on servers and ensuring that private keys are not being used anywhere with server software that allows SSLv2 connections is the way to deal with the DROWN threat. That means looking at any software supporting SSL or TLS, including web servers, and SMTP, IMAP, and POP email servers.

The researchers have included instructions and a useful F.A.Q. at the DROWN Attack website, so anyone concerned about this vulnerability can check whether they’re afflicted and take the appropriate action immediately.

It’s not the first time that out-of-date technology has caused security issues, the FREAK flaw was similar. There’s some hope that incidents like this will provoke a more proactive approach to removing obsolete cryptography in the future.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.