Preventing the DROWN Attack

Researchers recently uncovered the DROWN vulnerability in SSL v2. DROWN stands for Decrypting RSA with Obsolete and Weakened encryption. It affects HTTPS and other services that rely on the SSL and TLS protocols.

Attackers can use the DROWN vulnerability to break the encryption that is used to protect your sensitive data from prying eyes. If the encryption is broken, attackers can read/steal your sensitive communications (e.g., passwords, financial data, and emails). In some situations, attackers may also be able to impersonate trusted websites.

Are You Vulnerable to the DROWN Attack?

It is estimated that 22% of servers may be vulnerable to the DROWN attack. If you have a website, mail server, and other services that rely on TLS, you may be susceptible to this attack as well.

To check a website or a public facing server to see if it supports SSL v2, you can use tools such as  DigiCert® SSL Installation Diagnostics Tool. To check all the servers in your network (public and private) for SSL v2 support, you can use tools such as DigiCert® Certificate Inspector.

Mitigating the DROWN Attack

If you discover that you have servers or services that still support SSL v2, the fix is straightforward: disable SSL v2.

  • OpenSSL: If you are using OpenSSL, the easiest solution is to upgrade to recently released versions of OpenSSL 1.0.2g and1.0.1s. You should also upgrade to these if you are still using one of the older (no longer supported) versions of OpenSSL.
  • Microsoft IIS: If you are using IIS 7 or newer, SSL v2 is disabled by default. If you manually enabled support for SSL v2, go back and disable it. If you are running older (no longer supported) version of IIS, then upgrade to IIS version 7 or newer.
  • Network Security Services (NSS): If you are using NSS 3.13 or newer, SSL v2 is disabled by default. If you manually enabled support for SSL v2, you need to go back and disable it. If you are using an older version of NSS, simply upgrade to NSS 3.13 or newer.
  • Apache, Nginx, etc.: If your servers support SSL v2, you need to disable support for it.