A new HTTPS vulnerability—complete with website, fancy new logo and catchy name—has been discovered, and described as one that's possibly as big as Heartbleed. It’s called DROWN, and just like its 2014 predecessor, it affects a big chunk of today’s HTTPS-using domains (approximately 33%, according to the FAQ on its website). Not only websites, but mail servers and TLS-dependent services are vulnerable too.
What is DROWN?
It appears to be a vulnerability that affects HTTPS and other services that rely on SSL and TLS. These are protocols mainly concerned with cryptography, which secures personal information (such as login credentials/credit card numbers) on domains that require them, such as online shopping/banking websites as well as instant messaging.
By taking advantage of DROWN, attackers can break these protocols and intercept the personal information they’re protecting, and presumably steal them. They may also use it to break into legitimate websites in order to change its functions or even insert malicious code in it.
So who is vulnerable?
Apparently, any server or client that allows TLS and SSLv2 connections. The website, drownattack.com, has an online checker to see if a domain or IP address is vulnerable to DROWN.
The DROWN website declares that at the time of the vulnerability’s disclosure (March 1), 33% of all HTTPS servers/sites are vulnerable. It goes on to say that with this, 22% of all browser-trusted sites are also vulnerable, along with 25% of the top one million domains.
How can DROWN be protected against?
The website advises the server/domain owner ensure that their SSLv2 is disabled on their servers and their private keys are not used anywhere with software servers that allow SSlv2 connections. It also includes instructions for specific software, such as OpenSSL and Microsoft IIS, along with Apache, Postfix and Nginx.
We will continue to update this post as developments arise.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.