Millions of supposedly secure websites at risk from 'DROWN' SSL vulnerability

Still supporting SSLv2? Researchers warn that you're asking for trouble

As many as 11 million websites are at risk of a newly uncovered security vulnerability affecting HTTPS and other services that rely on SSL and TLS encryption, according to researchers.

The research, by academics at three universities, was released today. They dubbed the vulnerability "DROWN".

SSL and TLS are widely used to encrypt web transactions and other highly sensitive traffic. And, in an era when more and more governments are engaging in large-scale web surveillance, HTTPS has been increasingly deployed to protect people's browsing of ordinary websites, too.

"DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Our measurements indicate 33 per cent of all HTTPS servers are vulnerable to the attack," claim the researchers behind the paper that explains how it works.

Their research indicates that one-quarter of top-level domains deploying HTTPS and one-third of all sites are vulnerable to the security flaw.

The DROWN flaw centres on continuing legacy support for outdated crypto by website operators. "Due to misconfigurations, many servers also still support SSLv2, a 1990s-era predecessor to TLS. This support did not matter in practice, since no up-to-date clients actually use SSLv2. Therefore, even though SSLv2 is known to be badly insecure, until now, merely supporting SSLv2 was not considered a security problem, because clients never used it.

"[But] DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.

A server is vulnerable to DROWN if:

• It allows SSLv2 connections, which is surprisingly common, due to a combination of misconfiguration and inappropriate default settings. According to the researchers, 17 per cent of HTTPS servers still allow SSLv2 connections; or,
• The server's private key is used on any other server that allows SSLv2 connections, even for another protocol. Many companies re-use the same certificate and key on their web and email servers, for instance. In this case, if the email server supports SSLv2 and the web server does not, an attacker can take advantage of the email server to break TLS connections to the web server. Taking key re-use into account, some 16 per cent of HTTPS servers are also vulnerable, putting one-third of HTTPS servers at risk.

"To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS," advise the researchers.

The authors of the research - based in universities across three continents - have produced a full technical paper, which can be perused via the drownattack.com website.