DROWN Vulnerability shows critical vulnerability HTTPS
The new DROWN Vulnerability allows for remote compromise of websites with HTTPS.
IT Security experts round yet another vulnerability in HTTPS.
The new method called DROWN Decrypting RSA with Obsolete and Weakended eNcryption which can be compared
to in strength with Heartbleed vulnerabilities back from 2014.
The attack exploits until now unknown vulnerabilities in SSLv2. The attacker need to observe 1000 TLS connection handshakes.
Thereafter can launch 40.000 SSLv2 connections and decrypt a 2048-bit RSA-key. This has been done with the Amazon EC2 server where it all costed only 440 US$ in rent for the decryption processes.
One third of HTTPS servers vulnerable to DROWN attack
Cheaper more cost effective attacks can also be carried out by using a vulnerability in OpenSSL that was present in test and final versions from 1998 to 2015.
This can be done even so fast that it is possible for black hat attackers to carry out man in the middle attacks against modern web browsers.
OpenSSL has released patches to fix this problem.
If you are running OpenSSL it is recommended to upgrade to the latest version and be sure to run at least version of OpenSSL 1.0.2g or 1.0.1s.
At present moment March 2016 it security researchers investigation of the Internet shows that at least 38 procent of all HTTPS web servers and 22 procent of those with browser-trust certificates are vulnerable to the DROWN attack.
Implement automatic security scanning
It is recommended for private, commercial or government organizations to implement daily web security scanning.
It is most optimal to scan both all internal and public IP addresses for critical vulnerabilities. And provide automatic notification of found critical vulnerabilities.
This way the customer can react fast before the servers can be subject to compromise.
With the Penetrator suite of Vulnerability Scanning you can scan both your local and public systems easily.
You can sign up for a free scan to find out if you are effected by the DROWN or other SSL vulnerabilities.