Almost a third of HTTPS websites about to DROWN

Almost a third of HTTPS websites about to DROWN

DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption.

As Washington braces for an Apple vs. FBI encryption fight, remnants of the last crypto wars continue to haunt businesses today.

The new DROWN Attack impacts HTTPS and other services that rely on SSL and TLS, and reportedly affects major sites including Yahoo!, Alibaba, and

The attack lets an unauthorized party decrypt TLS-dependent services, potentially opening up passwords, banking information, and more to interception, while also allowing malicious parties to modify supposedly authenticated content.

The attack works by relying on the fact that many servers still support SSLv2, a predecessor to TLS. By sending probes to a server that supports SSLv2 and uses the same private key, the attacker can also decrypt the TLS connection.

Our measurements indicate 33% of all HTTPS servers are vulnerable to the attack, the researchers noted.

The attack was developed by researchers at Tel Aviv University, M√ľnster University of Applied Sciences, Ruhr University Bochum, the University of Pennsylvania, the Hashcat project, the University of Michigan, Two Sigma, Google, and the OpenSSL project.

Matthew Green has some good analysis, particularly about the roots of the problem:

The reason you might think SSLv2 is terrible is because it was a product of the mid-1990s, which modern cryptographers view as the dark ages of cryptography. Many of the nastier cryptographic attacks we know about today had not yet been discovered. As a result, the SSLv2 protocol designers were forced to essentially grope their way in the dark, and so were frequently devoured by grues -- to their chagrin and our benefit, since the attacks on SSLv2 offered priceless lessons for the next generation of protocols.

And yet, these honest mistakes are not worst thing about SSLv2. The most truly awful bits stem from the fact that the SSLv2 designers were forced to ruin their own protocol. This was the result of needing to satisfy the U.S. government's misguided attempt to control the export of cryptography. Rather than using only secure encryption, the designers were forced to build in a series of export-grade ciphersuites that offered abysmal 40-bit session keys and other nonsense. I've previously written about the effect of export crypto on today's security. Today we'll have another lesson.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.