Cloud Insidr

Cybersecurity in the Age of the Machine

  • Subscribe!
  • Privacy Policy
  • Legal
  • Contact Us

Join us on Twitter: @CloudInsidr

  • news & alerts
    • events
    • industry analysis
    • industry gossip
    • people
  • cloud, edge & co.
    • AWS
    • administration & orchestration
      • web servers in the cloud
      • mail servers
      • databases
  • cybersec & warfare
    • encryption
  • blockchain
Home cloud, edge and everything in between administration and orchestration DROWN, a New Attack on OpenSSL: Millions of OpenSSL-Secured Websites Are at Risk!
DROWN, a New Attack on OpenSSL: Millions of OpenSSL-Secured Websites Are at Risk!

Filipe Martins 2016-03-01 3 Comments

DROWN, a New Attack on OpenSSL: Millions of OpenSSL-Secured Websites Are at Risk!

A recently discovered security vulnerability in OpenSSL allows a long-deprecated protocol, SSL v2 (Secure Sockets Layer) to be misused in attacks at modern websites. The new attack has been, perhaps fittingly, dubbed DROWN, an acronym for Decrypting RSA with Obsolete and Weakened eNcryption. Cyber security analysts believe it might shut down–or shall we say drown, more than one third of all HTTPS servers. Is yours one of them?

Your server is vulnerable to DROWN if:

  • it allows SSLv2, OR(!)
  • it uses a private key that is also in use by any other server software that allows SSLv2 connections (such as your mail server!).

Upgrade your OpenSSL software asap. OpenSSL 1.0.2 must be upgraded to version 1.0.2g. OpenSSL 1.0.1 must be upgraded to version 1.0.1s. Should you be using an older version, now is the time to upgrade to 1.0.2g or 1.0.1s.

Having said that, an OpenSSL update won’t do you any good unless your SSL configuration is up close to flawless. You must deactivate SSL protocols (regardless of the version) as well as TLS 1.0. Your server should only support TLS versions 1.1 and 1.2.

DROWN shows that merely supporting SSLv2 presents a threat as it allows an attacker to probe and then decrypt connections between up-to-date clients and a server.

For an explanation on how you can verify your configuration, check out this short CloudInsidr Tip of The Day: Test Your Web Server’s Crypto Prowess for TLS, Diffie-Hellman, and more. For more on how to configure HTTP/2 with TLS Encryption in NGINX, read this post.

Given all recent cyber security vulnerabilities it seems that not enough is being done to prevent future attacks. Most websites of industry heavyweights like Apple, Dell, EMC, Microsoft, RSA, and others have neither CSPs (Content Security Policies) nor even a protection against XSS (Cross Site Request Forgery) attacks in place. Don’t let that be your web server.

Check out these CloudInsidr articles:

  • Secure Your Web Server against Attacks via XSRF/CSRF/XFS: How to Design a Content Security Policy
  • Fixing your Web Server’s Security Headers: From Hall of Shame to Hall of Fame

HTTP2_TLS1

 

Filed Under: administration and orchestration, alerts, cloud, edge and everything in between, cybersecurity and cyber warfare, news Tagged With: DROWN, HTTP/2, OpenSSL

Comments

  1. Nathanael Pedrin says

    2016-04-25 at 11:13 pm

    Lovely just what I was searching for. Thanks to the author for taking his time on this one.

    Reply
  2. Kill Shot cheats says

    2016-03-04 at 1:29 am

    Hello! Do you know if they make any plugins to help
    with Search Engine Optimization? I’m trying to get my blog to rank for some targeted
    keywords but I’m not seeing very good gains. If you know of any
    please share. Kudos!

    Reply
    • insidr says

      2016-03-04 at 6:10 am

      Hi,

      Thanks for reaching out! :-)

      Did you try All In One SEO Pack? It works well for us… :-)
      Assuming high quality content and solid SEO, the next thing you need is speed. PHP 7 and NGINX helps a lot to achieve good rankings.

      You might want to look at this Cloudinsidr article, too:

      How to Install PHP 7 on CentOS 7 (Red Hat/Fedora family)

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Join Cloud Insidrs!

Symantec Code Signing (200x200)

Tag Cloud

automation AWS Azure Azure Active Directory Azure Arc Azure Lighthouse Azure Resource Manager certbot certificate clickjacking cron CSRF cyber security DD-WRT DNS over HTTPS DoH domain firmware Gemalto HPKP HSTS IAM letsencrypt log logs MFA MITM Netgear network router SELinux time stamp tip Whois WiFi x509 XSS
Secure Site with EV (160x600)

Pearson Education (InformIT)

Pearson Education (Peachpit)

Thawte Code Signing (200x200)

  • Content purchasing and syndication