Threat: DROWN attack places more than 11 million websites at risk.
Solution: OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2g and OpenSSL 1.0.1 should upgrade to OpenSSL 1.0.1s. If you are using another version of OpenSSL, you should move to the newer versions.
You should also ensure SSLv2 is disabled, as well as make sure that the private key isn’t shared across any other servers.
The DROWN attack targets servers that might not use SSL2 but still support it. Often this is done to support other servers that use it such as SMTP, IMAP, and POP mail servers. A DROWN attack could allow an attacker to decrypt HTTPS connections by sending specially crafted packets to a server or if the certificate is shared on another server, potentially performing a successful Man-in-the-Middle (MitM) attack.
You can find out if your website is vulnerable to this critical security hole using the DROWN attack test site.
Like many of these attacks, the fix is already out there. Server admins need to perform updates immediately to protect against attacks. In addition confirming all servers that use the same certificates are updated is important as this attack can compromise one server and be used on a “secure” server that uses the same certificate.
Who is Paul Darr?
Paul Darr has lived in California, Oregon, Colorado, and currently lives in San Antonio, Texas. Paul is also an Army Veteran, who has deployed to Iraq and Afghanistan. On the political spectrum Paul is a Libertarian that advocates fiscal responsibility and social tolerance. Paul is currently employed as an IT Manager and is a father of a handsome boy and beautiful daughter. In his free time Paul enjoys reading, using and modifying open source software, gaming, and several other geeky pursuits.