DROWN Attack and SSL: What You Need to Know
This new vulnerability in SSLv2 puts over one third of websites at risk.
|By: Steve Snelgrove|
The problem is many companies don’t know if they are vulnerable, or what they should do. Here’s what you need to know about DROWN.
What is DROWN?
Because of this new vulnerability, it has become dangerous to support SSLv2, whereas it wasn’t considered a security problem before. Since attackers can now use SSLv2 to decrypt TLS, even supporting SSLv2 can put your data in danger.
How can the vulnerability be exploited?The culprit is SSLv2, which is an older encryption protocol for websites. This type of encryption is weaker and outdated. With this vulnerability, attackers can exploit SSL or SSLv2 to decrypt any communication between users and the server.
Who is vulnerable?To be affected by DROWN, the web server running HTTPS needs to either support SSLv2 itself or share its private key with another server that does.
Even if you have modern servers, you could still be at risk. Due to misconfigurations, many servers still support SSLv2. If a HTTPS server supports SSLv2 and TLS, it can be exploited to decrypt intercepted connections from clients, even if those connections are using the most secure, up-to-date version of TLS protocol.
This works because SSL and TLS share the same “back-end” cryptographic material, including the server’s private key. This allows the attacker to decrypt information from both SSL and TLS.
Unfortunately, one third of web servers still support this insecure technology. SSLv2 can also be accidentally enabled when setting up a new server.
SEE ALSO: PCI 3.1: Stop Using SSL and Outdated TLS Immediately
What can be stolen?All communication between users and the server can be seen and stolen by attackers through DROWN.
If you send anything sensitive over the Internet and your web server has this vulnerability, that information can be read and/or stolen. This includes passwords, credit card numbers, emails, sensitive documents, and more.
What’s been done?A fix has been issued. A new version of OPENSSL has been released, which disables SSLv2 and patches up a few other bugs. However, it’s up to the web server operators to update their servers.
What do you need to do?If your business runs its own web server, you may need to make some changes. Here are some things you should do:
- Update to TLS encryption protocol: This is the latest encryption protocol, and doesn’t have the DROWN vulnerability.
- Get rid of SSLv2: Update to OPENSSL to disable SSLv2. Make sure your servers aren’t even supporting SSLv2.
- Perform vulnerability scans: Do scans of all services on servers to check for availability of SSLv2.
What should SecurityMetrics customers do?Fortunately, SecurityMetrics has been scanning for and notifying clients of this vulnerability since 2008. So if you’re a client, you’ve likely already taken care of this problem. Make sure you’re up to date with your vulnerability scans, and that your web servers are using TLS.
Get rid of SSLv2!This new vulnerability makes SSL not only a weak encryption protocol, but also a danger to modern servers. This adds to the list of incentives to update your encryption and make sure your web servers are secure.
The surprising thing to me is there are so many servers that still run SSLv2. It’s surprising because SSLv2 was created in 1995, and was replaced by TLS 1.0 in 1999, so it’s an extremely outdated encryption protocol that really shouldn’t be used anymore.
The biggest element in security is to be up to date in software. To be supporting something as old as SSL is now considered a danger and a liability.
At this point in time, there’s really no excuse to still have SSL.There’s been enough time to make the transition. Update your web servers as soon as possible. The sooner you do it, the sooner you can ensure the security of your business and your clients.
Steven Snelgrove (CISSP) has been a Security Analyst at SecurityMetrics for over 7 years. Since 1980, Snelgrove has worked in the computer and telecommunications industry, and has familiarity with programming, software engineering, and network security. His current responsibilities includes the manual assessment of web applications and corporate networks, conducting ethical hacking to analyze security architecture, and consulting with organizations to help remediate issues. Snelgrove received a degree in Computer Science from Brigham Young University, and holds a CISSP (Certified Information Systems Security Professional) certification.