This article is more than 1 year old

SSL's DROWN not as bad as Heartbleed, still a security ship wreck

Just set SSLv2 on fire

Security experts are split on how easy it is for hackers to exploit the high-profile DROWN vulnerability on insecure systems.

One-third of all HTTPS websites are potentially vulnerable to the DROWN attack, which was disclosed on Tuesday. DROWN (which stands for Decrypting RSA with Obsolete and Weakened eNcryption) is a serious design flaw that affects network services that rely on SSL and TLS. An attacker can exploit support for the obsolete SSLv2 protocol – which modern clients have phased out but is still supported by many servers – to decrypt TLS connections.

As previously reported, code breaking involves sending lots and lots of probes to a server that supports SSLv2 and reuses the same private key across multiple protocols.

Threat intel consultancy iSight Partners has concluded following an initial analysis of the problems that the vulnerability poses only a moderate threat to users.

Steve Ward, senior director of marketing at iSIGHT Partners, commented: "iSIGHT Partners considers the DROWN Attack vulnerability (CVE-2016-0800) to be medium-risk and believe its exploitation poses only a moderate threat to users. Although a large number of systems are reportedly vulnerable, exploitation requires notable manual effort and can only be used to obtain the private key for individual users."

Widespread exploitation of the flaws by hackers is unlikely, according to iSIGHT Partners.

"Since the attacker needs to be in a position to intercept traffic, we believe most victims will be targets of opportunity, not targeted. Therefore, we anticipate limited actor interest and do not expect widespread exploitation."

Tod Beardsley, security research manager at Rapid7, the firm behind Metasploit, conceded that a potential hacker would already need to be on a targeted network. He nonetheless suggested it's too early to downplay the significance of the flaw.

"In the case of DROWN, the attacker does have to be in a privileged position on the network in order to eavesdrop on a TLS session, and also needs to have already conducted some reconnaissance on the server-side infrastructure, but this is the nature of padding oracle attacks. While it's not Heartbleed, DROWN techniques do demonstrate the weaknesses inherent in legacy cryptography standards."

Beardsley is holding fire on a definitive assessment, at least pending the availability of exploit code.

"I'm looking forward to the release of exploit code so that system administrators can demonstrate for themselves the practical effects of DROWN. In the meantime, sysadmins should ensure that all their cryptographic services have truly disabled the old and deeply flawed SSLv2 protocol, and consider the cost and effort associated with providing unique private keys for their individual servers," he advised.

The DROWN project's website, put together by the academic researchers who discovered the flaw, is here. The logo of the site is a cracked padlock that's about to be swamped by a wave, neatly encapsulating the lamentable situation in graphic form.

A Naked Security blog post by Paul Ducklin, senior technologist at Sophos, on the newly discovered DROWN vulnerability provides an assessment of the flaw as well as remediation tips. ®

More about

More about

More about


Send us news

Other stories you might like