A new vulnerability could leave as many as one-third of HTTPS websites open to decryption, meaning that sensitive data including usernames, passwords and credit card numbers could be at risk.
The vulnerability has been dubbed DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) and affects servers using an SSLv2 certificate. The website for DROWN states that as many as 33% of sites could be affected, including 25% within the top one million domains.
According to The Next Web, vulnerable sites at the time of writing include major websites such as Yahoo, BuzzFeed, Flickr and Samsung.
SSLv2 has been available since the 90s and known to be vulnerable for years, so most servers now use a different protocol. However, it’s now emerged that even allowing SSLv2 is a threat to modern servers and clients.
The DROWN website points to the weakening of cryptography by US government policies in recent years, resulting in the third major internet security vulnerability in a year, following FREAK and Logjam.
To find out whether your domain or IP address is vulnerable, a tool has been posted on the DROWN website.
If found vulnerable, it’s suggested that server owners take action immediately to prevent attack.
“To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections,” says the FAQ on the DROWN website. “This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS.”
While there is no reason to suspect that cybercriminals have exploited the vulnerability prior to the recent disclosure, now that the details are public it’s important to take these countermeasures.
by Kyle Ellison, ESET We Live Security