Researchers detail how DROWN can be used to decrypt communications on HTTPS-secure websites and urge server operators to update now
Up to 33 percent of HTTPS servers are susceptible to a new vulnerability that could allow attackers to decrypt secure communication and steal personal information such as passwords and credit card details.
DROWN – Decrypting RSA with Obsolete and Weakened eNcryption – exploits servers that support an old, insecure standard known as SSLv2.
Most modern servers now use the more recent TLS protocol to secure communications, but some still might support SSLv2, even though no legitimate, up to date client uses it.
“This is surprisingly common, due to misconfiguration and inappropriate default settings,” said a team of researchers who discovered the flaw. “Our measurements show that 17 percent of HTTPS servers still allow SSLv2 connections.”
However researchers say merely supporting SSLv2 means TLS can be decrypted if common private keys are used.
“Many companies reuse the same certificate and key on their web and email servers, for instance. In this case, if the email server supports SSLv2 and the web server does not, an attacker can take advantage of the email server to break TLS connections to the web server. When taking key reuse into account, an additional 16% of HTTPS servers are vulnerable, putting 33 percent of HTTPS servers at risk.
“DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.”
DROWN can be exploited by intercepting TLS communications by making specially crafted connections to an SSLv2 server that uses the same private key. The attacker looks at several hundred connections between the victim client and server and will eventually be able to decrypt one of them.
The researchers say observing this many connections would involve intercepting traffic for an extended period of time or tricking a user into visiting a website that makes a large volume connections in the background.
There are two main variants. One exploits a fundamental weakness in SSLv2 and requires 40,000 probe connections to decrypt one out of 900 TLS connections. This would cost about $440 on Amazon EC2, according to the researchers.
The other is significantly cheaper. Most servers affected by DROWN are also affected by an OpenSSL bug, which allows that task to be performed on a laptop via a man-in-the middle attack.
“In this case, the attacker needs about 17,000 probe connections in total to obtain the key for one out of 260 TLS connections from the victim, and the computation takes under a minute on a fast PC,” said the report.
There is absolutely “nothing practical” that end users or browser developers can do to protect themselves against the DROWN, placing the onus on server operators to take action. The easiest way is to ensure that server software is updated so SSLv2 is disabled by default.
Windows IIS and Network Security Service (NSS) have been updated long ago, while OpenSSL, which has been working with the authors of the report, has issued an update.
The researchers have blamed DROWN on government attempts to weaken cryptography in the late 1990s for surveillance reasons and say it is the third major vulnerability, after FREAK and Logjam, to result in the past year alone.
The infamous Heartbleed bug, which also impacted OpenSSL, raised awareness of the importance of securing security protocols – especially open source ones – that are essential to the Internet and IT world. The Linux Foundation’s Core infrastructure Initiative (CII) is paying testers to examine all 500,000 lines of OpenSSL code.
What do you know about Linux? Take our quiz!