HTTPS DROWN flaw: Security bods' hearts sink as tatty protocols wash away web crypto

Reaction from the industry pours in


The discovery of a HTTPS encryption vulnerability, dubbed DROWN, again proves that supporting tired old protocols weakens modern crypto systems.

DROWN (aka Decrypting RSA with Obsolete and Weakened eNcryption) is a serious design flaw that affects HTTPS websites and other network services that rely on SSL and TLS – which are core cryptographic protocols for internet security. As previously reported, about a third of all HTTPS servers are vulnerable to attack, the computer scientists behind the discovery of the issue warn.

DROWN basically allows a miscreant to snoop on and decrypt a victim's encrypted web connections, allowing crooks to swipe passwords and so on.

"DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data," said the research team.

A total of 15 experts from universities in the US, Israel and Germany contributed to a study which led to today's publication of the paper DROWN: Breaking TLS using SSLv2, available here [PDF].

Modern servers and clients use the TLS encryption protocol. However, due to sloppy configuration settings, many servers continue to support SSLv2, a 1990s-era predecessor to TLS. That sounds like an obvious weakness in security, but it didn't really matter up until now because no up-to-date software actually uses SSLv2 – apps and other programs tend to use TLS these days.

SSLv2 has been hopelessly insecure for years, however just supporting SSLv2 server-side was not generally considered a security problem because no client-side software was using it.

DROWN and out: Weak legacy tech KOs security

It's no great exaggeration to describe DROWN as a game changer.

DROWN shows that merely supporting SSLv2 puts modern servers and clients at risk. Hackers can exploit weaknesses in the v2 protocol to decrypt the communications between modern clients and servers – even if those clients and servers are using a stronger protocol to exchange information securely, such as TLS v1.2. The trick involves sending lots and lots of probes to a server that supports SSLv2 and reuses the same private key across multiple protocols.

In some situations, an attacker can impersonate a secure website and intercept or change the content the user sees, by running a man-in-the-middle attack.

Websites, mail servers, and other TLS-dependent services are at risk from the DROWN attack. Details of the security flaw were shared with software vendors before the researchers went public with their findings on Tuesday so patches should be available to shut down this issue.

Exploiting the DROWN flaw is not trivial, although the technically skilled can attack high-value targets without breaking the bank. The vulnerability's researchers reckon assaults can be mounted from a typical subscription-based cloud system for less than $500.

We're still fighting the first crypto war

Today is the first full day of the RSA Conference in San Francisco, and it was slated to feature talks and debate about the legal standoff between Apple and the FBI over decrypting information on a killer's iPhone. Instead, discussion in the halls is likely to turn to this fresh cryptographic security flap, which some say traces its origins back to attempts by the US government to cripple encryption back in the 1990s.

"90s 'export' grade weak encryption, then required by US govt, is 'pure poison'," said Christopher Soghoian, a principal technologist at the ACLU, in an tweet in his personal Twitter stream. "The US govt forced the tech industry to use weakened crypto in the 90s. The DROWN attack demonstrates the long-term cost of weakened crypto," he added.

Brown alert

More immediately, sysadmins will have their work cut out in dealing with the flaw.

Kyle Lady of mobile security firm Duo Security commented: "From the system administration perspective, this bug demonstrates the importance of holistic security assessment: it's not enough to just make sure that your web server is secure while leaving other components (like mail servers) with outdated and insecure configurations. SSLv2 was officially deprecated in 2011, so there really shouldn't be any servers that are willing to use it anyway, except for the fact that server software often ships with the most permissive cryptography settings for the sake of compatibility."

Developers would be well advised to draw lessons from the incident, Lady added. "This bug underscores the value of auditing not just new code but old code as well. Many recent OpenSSL vulnerabilities have been found in code that's been shipping for quite a few years, and the bugs just haven't been noticed. Additionally, new functionality in a program can open up a path for an attacker to exploit previously hidden bugs in old code," he concluded.

How DROWN abuses SSLv2 to attack TLS is explained by Ivan Ristic, director of engineering at cloud security firm Qualys, and author of Bulletproof SSL and TLS in a blog post here.

Ristic backs up the general expert opinion that "obsolete crypto is dangerous," advising IT staff to disable SSL v2 everywhere now. Ristic argues that previous crypto attacks have hinted at the inherent problems of supporting obsolete crypto technologies for some time.

"For many years the argument for not disabling SSL v2 was that there was no harm because no browsers used it anyway," Ristic concludes. "We heard the same thing before learning about Logjam, and also before FREAK. This approach is obviously not working. Instead, in the future we must ensure that all obsolete crypto is aggressively removed from all systems. If it's not, it's going to come back to bite us, sooner or later," he added.

Computer science professor Matthew Green provides an excellent overview of the DROWN vulnerability and its potential impact in a blog post, here. A picture in the blog post features a zombie, captioned with "SSLv2 export cipher," neatly summing up the general view of security experts. ®

Broader topics

Narrower topics


Other stories you might like

  • North Korea pulled in $400m in cryptocurrency heists last year – report

    Plus: FIFA 22 players lose their identity and Texas gets phony QR codes

    In brief Thieves operating for the North Korean government made off with almost $400m in digicash last year in a concerted attack to steal and launder as much currency as they could.

    A report from blockchain biz Chainalysis found that attackers were going after investment houses and currency exchanges in a bid to purloin funds and send them back to the Glorious Leader's coffers. They then use mixing software to make masses of micropayments to new wallets, before consolidating them all again into a new account and moving the funds.

    Bitcoin used to be a top target but Ether is now the most stolen currency, say the researchers, accounting for 58 per cent of the funds filched. Bitcoin accounted for just 20 per cent, a fall of more than 50 per cent since 2019 - although part of the reason might be that they are now so valuable people are taking more care with them.

    Continue reading
  • Tesla Full Self-Driving videos prompt California's DMV to rethink policy on accidents

    Plus: AI systems can identify different chess players by their moves and more

    In brief California’s Department of Motor Vehicles said it’s “revisiting” its opinion of whether Tesla’s so-called Full Self-Driving feature needs more oversight after a series of videos demonstrate how the technology can be dangerous.

    “Recent software updates, videos showing dangerous use of that technology, open investigations by the National Highway Traffic Safety Administration, and the opinions of other experts in this space,” have made the DMV think twice about Tesla, according to a letter sent to California’s Senator Lena Gonzalez (D-Long Beach), chair of the Senate’s transportation committee, and first reported by the LA Times.

    Tesla isn’t required to report the number of crashes to California’s DMV unlike other self-driving car companies like Waymo or Cruise because it operates at lower levels of autonomy and requires human supervision. But that may change after videos like drivers having to take over to avoid accidentally swerving into pedestrians crossing the road or failing to detect a truck in the middle of the road continue circulating.

    Continue reading
  • Alien life on Super-Earth can survive longer than us due to long-lasting protection from cosmic rays

    Laser experiments show their magnetic fields shielding their surfaces from radiation last longer

    Life on Super-Earths may have more time to develop and evolve, thanks to their long-lasting magnetic fields protecting them against harmful cosmic rays, according to new research published in Science.

    Space is a hazardous environment. Streams of charged particles traveling at very close to the speed of light, ejected from stars and distant galaxies, bombard planets. The intense radiation can strip atmospheres and cause oceans on planetary surfaces to dry up over time, leaving them arid and incapable of supporting habitable life. Cosmic rays, however, are deflected away from Earth, however, since it’s shielded by its magnetic field.

    Now, a team of researchers led by the Lawrence Livermore National Laboratory (LLNL) believe that Super-Earths - planets that are more massive than Earth but less than Neptune - may have magnetic fields too. Their defensive bubbles, in fact, are estimated to stay intact for longer than the one around Earth, meaning life on their surfaces will have more time to develop and survive.

    Continue reading

Biting the hand that feeds IT © 1998–2022