DROWN Attacks all set to blow down the TLS/SSL Encryption

March 3, 2016 | By Editor 

An alarming security threat – DROWN, has been uncovered in OpenSSL exposing more than 11 million emails and websites to risk.

What is DROWN Attack?

DROWN takes its name from “Decrypting RSA with Obsolete and Weakened eNcryption” – with the flaw is implemented to set a cross- protocol attack very much specific to the SSLv2 protocol. The security defect is not as rampant as the Heartbleed flaw and is relatively an inexpensive attack. The security threat, spots out the weak trait in the server that incorporates the out-dated SSLv2 implementation and hence decodes intercepted TLS sessions from up-to-date clients.

The Drown attack is all at force to perform a Man-in-the-Middle attack to decipher HTTPS connections by infusing specially crafted malefic vulnerable packets to the server. While the latest TLS version do not permit SSLv2 connections by default, there are some unintentional moves done by the administrator to override the settings to optimize the applications. The Drown attack can sneak in to your website, if the website certificate is used elsewhere on the server that does not support SSLv2.

Security experts have found that more than 33% of all the HTTPS servers are exposed to DROWN attacks. Yahoo, Sina, Flickr, StumbleUpon, Alibaba, Samsung are some of the top ranked global websites in Alexa, found to be vulnerable to DROWN attacks.

Internet Information Services (IIS) versions 7 from Microsoft and the Network Security Services (NSS) versions- older to 3.13 that are built into many server products are also exposed to the DROWN vulnerability.

How to Test DROWN OpenSSL Vulnerability?

TLS encryption protocol is incorporated in modern servers. However, there exists some incorrect configurations and being that the case the servers are provisioned to support SSLv2 that has been now replaced with TLS. The servers that support SSLv2 are considered insecure and hence exposes the website to DROWN vulnerability.

How do you know if the Server is drowned to vulnerability

  • A server is vulnerable to DROWN attacks if the private key is used on some other web-server that has a passage to allow SSLv2 connections.
  • It is also vulnerable if there exists a misconfiguration and unfit default settings.

Security experts have come up with a security patch fix for the vulnerability, However, if the server is exposed to DROWN attacks, it can be actively used by the hackers in minutes.


<< Know How to Protect Multiple Sites With a Single SSL CertificateInstall comodo ssl certificate windows server 2008 >>

Posted in Technology

Be Sociable, Share!

Leave a Comment


* fields are mandatory