Last year our heart was bleeding, now we’re drowning.
What is a DROWN Attack?
DROWN is a vulnerability affecting HTTPS and other services that rely on SSL and TLS protocols for security. Attackers are able to break encryption and steal sensitive information like credit card numbers, passwords, etc.
Essentially, you could be sitting at Starbucks on their public WiFi shopping for espresso makers and when you go to purchase the perfect machine you might as well be posting your CC# and billing info on the corkboard.
Who is Affected?
Websites, mail servers, and other TLS-dependent services are at risk. DROWNattack.com reported that 33% of HTTPS sites are considered vulnerable.
Getting the word out is key, currently more than 81,000 of the top 1 million most popular Web properties are among the vulnerable HTTPS-protected sites.
How Can I Prevent a DROWN Attack?
First, you need the right person to protect your server. At this point, there is nothing that end-users can do to protect themselves – this lies in the hands of your server operator.
To defend your properties from DROWN you need to check that SSLv2 is disabled or make sure the private key is not shared across any other services. There is no need to re-issue certificates but operators should act immediately.
Steve, our System Administrator, just protected our domains from DROWN in under 2 minutes. He checked the registry to ensure that SSLv2 was disabled.
Use the DROWNattack.com DROWN Check to see if your site is affected and step-by-step instructions on how to disable SSLv2 for:
- OpenSSL
- Microsoft IIS (Windows Server)
- Network Security Services (NSS)
- Apache
- Postfix
- Nginx