OpenSSL websites now at risk, DROWN attack
Recently news hit that millions of OpenSSL secured websites are now at risk due to the new DROWN attack. Tod
Beardsley, Security Research Manager at Rapid7, had this to say about the attack:
The work behind today’s DROWN attack announcement represents the very best of open,
collaborative, international security research. Academics and professionals actively
probing the edges of practical cryptanalysis is the open source security promise.
In the case of DROWN, the attacker does have to be in a privileged position on the
network in order to eavesdrop on a TLS session, and also needs to have already
conducted some reconnaissance on the server-side infrastructure, but this is the
nature of padding oracle attacks. While it’s not Heartbleed, DROWN techniques do
demonstrate the weaknesses inherent in legacy cryptography standards.
I’m looking forward to the release of exploit code so that system administrators can
demonstrate for themselves the practical effects of DROWN. In the meantime,
sysadmins should ensure that all their cryptographic services have truly disabled
the old and deeply flawed SSLv2 protocol, and consider the cost and effort
associated with providing unique private keys for their individual servers.
Image Source: Pixbay