{"id":998,"date":"2016-03-01T15:19:08","date_gmt":"2016-03-01T23:19:08","guid":{"rendered":"https:\/\/www.cloudinsidr.com\/content\/?p=998"},"modified":"2016-03-22T14:10:31","modified_gmt":"2016-03-22T22:10:31","slug":"new-drown-attack-millions-of-openssl-secured-websites-are-at-risk","status":"publish","type":"post","link":"https:\/\/www.cloudinsidr.com\/content\/new-drown-attack-millions-of-openssl-secured-websites-are-at-risk\/","title":{"rendered":"DROWN, a New Attack on OpenSSL: Millions of OpenSSL-Secured Websites Are at Risk!"},"content":{"rendered":"<p>A recently discovered security vulnerability in OpenSSL allows a long-deprecated protocol, SSL v2 (Secure Sockets Layer) to be misused in\u00a0attacks at modern websites. The new attack has been, perhaps fittingly, dubbed\u00a0<a href=\"https:\/\/drownattack.com\/top-sites\" target=\"_blank\">DROWN<\/a>, an acronym\u00a0for <strong>Decrypting RSA with Obsolete and Weakened eNcryption<\/strong>. Cyber security analysts believe it might shut down&#8211;or shall we say <em>drown<\/em>, more than one third of all HTTPS servers. Is yours one of them?<\/p>\n<p><!--more--><\/p>\n<p>Your server is vulnerable to DROWN if:<\/p>\n<ul>\n<li>it allows\u00a0SSLv2, OR(!)<\/li>\n<li>it\u00a0uses a private key that is also in use by any other server software that allows SSLv2 connections (such as your mail server!).<\/li>\n<\/ul>\n<p>Upgrade your OpenSSL software asap. OpenSSL 1.0.2 must be\u00a0upgraded to version 1.0.2g. OpenSSL 1.0.1 must be\u00a0upgraded to version 1.0.1s. Should you be using an older version, now is the time to upgrade\u00a0to 1.0.2g or 1.0.1s.<\/p>\n<p>Having said that, an\u00a0OpenSSL update won&#8217;t do you any good unless your SSL configuration is up close to flawless. You must deactivate SSL protocols (regardless of the version)\u00a0as well as TLS 1.0. Your server should only support TLS versions 1.1 and 1.2.<\/p>\n<p>DROWN shows that merely supporting SSLv2 presents\u00a0a threat as it allows an attacker to probe and then decrypt connections between up-to-date clients and a\u00a0server.<\/p>\n<p>For an explanation on how you can\u00a0verify your configuration, check out this short\u00a0CloudInsidr <em><a href=\"https:\/\/www.cloudinsidr.com\/content\/tip-of-the-day-test-your-web-servers-crypto-prowess-for-tls-diffie-hellman-and-more\/#more-107\" target=\"_blank\">Tip of The Day: Test Your Web Server\u2019s Crypto Prowess for TLS, Diffie-Hellman, and more<\/a>.<\/em>\u00a0For more on how to configure HTTP\/2 with TLS Encryption in NGINX, read <a href=\"https:\/\/www.cloudinsidr.com\/content\/how-to-activate-http2-with-ssltls-encryption-in-nginx-for-secure-connections\/\" target=\"_blank\">this post<\/a>.<\/p>\n<p>Given\u00a0all <a href=\"https:\/\/www.linkedin.com\/pulse\/next-frontier-hacks-data-leaks-how-http2-fits-picture-filipe-martins?trk=pulse_spock-articles\" target=\"_blank\">recent cyber security vulnerabilities<\/a>\u00a0it seems that not enough is being done to prevent future attacks. Most websites of industry heavyweights like <a href=\"https:\/\/www.cloudinsidr.com\/content\/new-drown-attack-millions-of-openssl-secured-websites-are-at-risk\/securityheaders_apple\/\" target=\"_blank\">Apple<\/a>, <a href=\"https:\/\/www.cloudinsidr.com\/content\/new-drown-attack-millions-of-openssl-secured-websites-are-at-risk\/securityheaders_dell\/\" target=\"_blank\">Dell<\/a>, <a href=\"https:\/\/www.cloudinsidr.com\/content\/new-drown-attack-millions-of-openssl-secured-websites-are-at-risk\/securityheaders_emc\/\" target=\"_blank\">EMC<\/a>, <a href=\"https:\/\/www.cloudinsidr.com\/content\/new-drown-attack-millions-of-openssl-secured-websites-are-at-risk\/securityheaders_microsoft\/\" target=\"_blank\">Microsoft<\/a>, <a href=\"https:\/\/www.cloudinsidr.com\/content\/new-drown-attack-millions-of-openssl-secured-websites-are-at-risk\/securityheaders_rsa\/\" target=\"_blank\">RSA<\/a>, and others\u00a0have neither\u00a0CSPs (Content Security Policies) nor\u00a0even a protection against XSS (Cross Site Request Forgery) attacks in place. Don&#8217;t let that be your web server.<\/p>\n<p>Check out these\u00a0CloudInsidr articles:<\/p>\n<ul>\n<li><em><a href=\"https:\/\/www.cloudinsidr.com\/content\/secure-your-web-server-against-attacks-via-xsrfcsrfxfs-how-to-design-a-content-security-policy\/\" target=\"_blank\">Secure Your Web Server against Attacks via XSRF\/CSRF\/XFS: How to Design a Content Security Policy<\/a><\/em><\/li>\n<li><em><a href=\"https:\/\/www.cloudinsidr.com\/content\/fixing-your-web-servers-security-headers-from-hall-of-shame-to-hall-of-fame\/\" target=\"_blank\">Fixing your Web Server\u2019s Security Headers: From Hall of Shame to Hall of Fame<\/a><\/em><\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/03\/HTTP2_TLS1.png\" rel=\"attachment wp-att-1007\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1007\" src=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/03\/HTTP2_TLS1.png\" alt=\"HTTP2_TLS1\" width=\"958\" height=\"683\" srcset=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/03\/HTTP2_TLS1.png 958w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/03\/HTTP2_TLS1-600x428.png 600w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/03\/HTTP2_TLS1-300x214.png 300w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/03\/HTTP2_TLS1-768x548.png 768w\" sizes=\"(max-width: 958px) 100vw, 958px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A recently discovered security vulnerability in OpenSSL allows a long-deprecated protocol, SSL v2 (Secure Sockets Layer) to be misused in\u00a0attacks at modern websites. The new attack has been, perhaps fittingly, dubbed\u00a0DROWN, an acronym\u00a0for Decrypting RSA with Obsolete and Weakened eNcryption. Cyber security analysts believe it might shut down&#8211;or shall we say drown, more than one [&hellip;]<\/p>\n","protected":false},"author":101012,"featured_media":1003,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[16,131,17,33,89],"tags":[127,48,126],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v14.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>DROWN, a New Attack on OpenSSL: Millions of OpenSSL-Secured Websites Are at Risk! - CloudInsidr<\/title>\n<meta name=\"robots\" content=\"index, follow\" \/>\n<meta name=\"googlebot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta name=\"bingbot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cloudinsidr.com\/content\/new-drown-attack-millions-of-openssl-secured-websites-are-at-risk\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"DROWN, a New Attack on OpenSSL: Millions of OpenSSL-Secured Websites Are at Risk! - CloudInsidr\" \/>\n<meta property=\"og:description\" content=\"A recently discovered security vulnerability in OpenSSL allows a long-deprecated protocol, SSL v2 (Secure Sockets Layer) to be misused in\u00a0attacks at modern websites. The new attack has been, perhaps fittingly, dubbed\u00a0DROWN, an acronym\u00a0for Decrypting RSA with Obsolete and Weakened eNcryption. Cyber security analysts believe it might shut down&#8211;or shall we say drown, more than one [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cloudinsidr.com\/content\/new-drown-attack-millions-of-openssl-secured-websites-are-at-risk\/\" \/>\n<meta property=\"og:site_name\" content=\"CloudInsidr\" \/>\n<meta property=\"article:published_time\" content=\"2016-03-01T23:19:08+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2016-03-22T22:10:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/03\/tsunami-wave.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"424\" \/>\n\t<meta property=\"og:image:height\" content=\"283\" \/>\n<meta name=\"twitter:card\" content=\"summary\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/\",\"name\":\"CloudInsidr\",\"description\":\"Cyber security, infotech\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/www.cloudinsidr.com\/content\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/new-drown-attack-millions-of-openssl-secured-websites-are-at-risk\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/03\/tsunami-wave.jpg\",\"width\":424,\"height\":283},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/new-drown-attack-millions-of-openssl-secured-websites-are-at-risk\/#webpage\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/new-drown-attack-millions-of-openssl-secured-websites-are-at-risk\/\",\"name\":\"DROWN, a New Attack on OpenSSL: Millions of OpenSSL-Secured Websites Are at Risk! - CloudInsidr\",\"isPartOf\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/new-drown-attack-millions-of-openssl-secured-websites-are-at-risk\/#primaryimage\"},\"datePublished\":\"2016-03-01T23:19:08+00:00\",\"dateModified\":\"2016-03-22T22:10:31+00:00\",\"author\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/73723b2da71b6d515d17ca593ea5dc68\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cloudinsidr.com\/content\/new-drown-attack-millions-of-openssl-secured-websites-are-at-risk\/\"]}]},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/73723b2da71b6d515d17ca593ea5dc68\",\"name\":\"Filipe Martins\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/dbac033b4d26da8ca1fbde233e49c8dc?s=96&d=mm&r=g\",\"caption\":\"Filipe Martins\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/998"}],"collection":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/users\/101012"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/comments?post=998"}],"version-history":[{"count":19,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/998\/revisions"}],"predecessor-version":[{"id":1041,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/998\/revisions\/1041"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media\/1003"}],"wp:attachment":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media?parent=998"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/categories?post=998"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/tags?post=998"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}