The party is ON! Join us at TNW Conference 2021 in Amsterdam for face-to-face business!

The heart of tech

This article was published on March 1, 2016

    DROWN attack breaks HTTPS on 33% of websites

    DROWN attack breaks HTTPS on 33% of websites
    Owen Williams
    Story by

    Owen Williams

    Former TNW employee

    Owen was a reporter for TNW based in Amsterdam, now a full-time freelance writer and consultant helping technology companies make their word Owen was a reporter for TNW based in Amsterdam, now a full-time freelance writer and consultant helping technology companies make their words friendlier. In his spare time he codes, writes newsletters and cycles around the city.

    It feels like we just got over Heartbleed and there’s another branded exploit out there.

    DROWN, a new vulnerability in OpenSSL that affects servers using SSLv2, was revealed today as an attack that could decrypt your secure HTTPS communications, such as passwords or credit card numbers. More than 33 percent of servers are vulnerable — significantly less than Heartbleed, but still a surprisingly high number.

    Among those vulnerable at time of writing were Yahoo, Alibaba, Weibo, BuzzFeed, Weather.com, Flickr and Samsung.

    The vulnerability was revealed as part of an OpenSSL update today, so a patch is already available, but exploiting the attack is fairly trivial.

    In this case, DROWN allows attackers to decrypt HTTPS by sending specially crafted packets to a server or if the certificate is shared on another server, effectively performing a Man-in-the-Middle attack.

    SSLv2 dates back to the 1990s and is frequently enabled by accident or automatically when setting up a new server, which is why DROWN is still a major issue.

    According to the website for DROWN, the attack can take under a minute to exploit and may be actively used now that it’s been disclosed. It also places the blame for its existence on the way the U.S government weakened cryptography in the 1990s.

    To defend against the attack, you should ensure SSLv2 is disabled, or make sure that the private key is not shared across any other servers. Those vulnerable don’t need to re-issue certificates, but should take action to prevent the attack immediately.

    The DROWN Attack