What is the DROWN Attack?
The Decrypting RSA with Obsolete and Weakened eNcryption (DROWN) Attack is a serious vulnerability that affects HTTPS and other servers that rely on Secure Sockets Layer (SSL)/Transport Layer Security (TLS).
Essentially DROWN is an attack vector that leverages a cross-protocol bug in servers that support modern TLS by taking advantage of their support for the insecure SSLv2 protocol. By using support for SSLv2, malicious actors can then leverage an attack on connections using up-to-date protocols that would otherwise be considered secure like TLS.
DROWN only affects systems with weak encryption enabled and allows attackers to break the encryption used to protect your data. This allows them the ability to decrypt, read, and steal sensitive communications like passwords, credit card numbers, and more. In some situations, attackers may also be able to impersonate trusted websites and intercept or change the content a user sees.
Related Reading: What is SSL, TLS, and HTTPS?
Is Your Server Vulnerable?
A server is vulnerable to drown if it allows SSv2 connections or its private key is used on any other server that allows SSLv2 connections, even for another protocol. A server is also vulnerable if it shares a public key with a server that allows SSLv2 connections. As of 2019, about 1.2 percent of HTTPS servers are considered vulnerable, a significant drop from 2016’s 33 percent.
Vulnerability, however, really depends on your server configuration. You can only be sure that you are not vulnerable if none of your servers sharing a given private key enable SSLv2. While your secure TLS-only HTTPS server is vulnerable if you expose the same key on an email server that supports SSLv2.
DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients as it can allow an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.
Related Reading: How Encryption Works: Everything You Need to Know
How Can You Protect Your Server?
To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS.
To defend your properties from DROWN you need to check that SSLv2 is disabled or make sure the private key is not shared across any other services. For security’s sake, do an audit of all your systems to ensure that none of your websites, mail servers, file servers, and so forth have SSLv2 enabled. If you discover SSLv2 is still supported, then it should be disabled immediately in all SSL/TLS servers.
Choose the Right Encryption Software to Prevent a DROWN Attack
DROWN only affects servers with weak encryption enabled. Selecting the right encryption method for securing data transfers can help shield against incidents that can wreak havoc with your budget, reputation with your customers, and cost precious time and resources.
Get the scoop on choosing the right encryption method for securely exchanging your files in our webinar.