Security

DROWN Attack - TLS Attack Via SSLv2

Updated

DROWN attack is a new critical vulnerability that affects HTTP and services that rely on SSL and TLS.

These services are some of the most important for Internet security.

When working properly, SSL and TLS allow for users to browse the Web, shop online, use email services, and send messages without a hacker/third party being able to intercept their communications. The DROWN attack allows hackers to break the encryption and set up shop in the middle of any communications channel using these protocols. This includes, but is not limited to, passwords, credit card numbers, business secrets, and financial data. According to drownattack.com, 33% of all HTTPS servers are vulnerable to this attack.

To find out if your website is vulnerable, please visit drownattack.com. You will also find remediation information on how to protect your server going forward. However, for system administrators managing servers situated behind firewalls that cannot reasonably take advantage of a URL testing tool that cannot reach their machine(s), we have written this article.