Internet At Risk
A whopping 11.5 million websites using the HTTPS protocol for encryption are estimated to be under the risk of being attacked and their data stolen and compromised from a new vulnerability that has been exposed as a loophole in OpenSSL, known as DROWN.
DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), uses an outdated security protocol, secure sockets layer (SSLv2) which can be used to exploit the HTTPS encryption protocol and gain Personal Identifiable Information (PII) about the users of the website. This makes DROWN a very serious issue, as banks, financial institutes and other websites mostly use HTTPS and the data of millions of users is put to risk.
After the Heartbleed Vulnerability that was discovered in 2014, which exploited the SSL/TLS protocols to gain information, the DROWN attack has been the most serious issue to affect such a large portion of the internet.
DROWN attack was revealed by academic researchers from Department of Electrical Engineering, Tel Aviv University, University of Applied Sciences, Munster University of Applied Sciences, Horst Görtz Institute for IT security, Hashcat Project, University of Michigan, Ruhr University Bochum, University of Pennsylvania, Google/OpenSSL, Two Sigma/OpenSSL.
The experts were able to target and gain information about a single user or a single PC within a matter of seconds using DROWN. For other servers, they were quoted saying:
“Even for servers that don’t have these particular bugs, the general variant of the attack, which works against any SSLv2 server, can be conducted in less than 8 hours at a total cost of $440.”
It Comes From The Deep
The DROWN vulnerability, officially known as CVE-2016-0703 (Common Vulnerabilities and Exposures) can have severe effects on the internet. Man-in-the-Middle attacks using this vulnerability can affect even the top most websites listed on Alexa and other famous websites.
The website of one of India’s biggest banks, The State Bank Of India, is also vulnerable to attack using DROWN, (the MitM) attack, using which attackers can intercept and decrypt data between client and server, and steal personal information. Obsolete versions of Microsoft Internet Information Services (IIS) and those of National Security Services (NSS), which is a general cryptographic library built into many server products, are also open to attacks.
At any IP address on a website which has a certificate that supports SSLv2, eavesdropping attacks can be carried out. The answer to this problem according to the researchers is to update server software at all such IP addresses and make sure disable SSLv2 is disabled.
Whether or not a site is vulnerable to such attacks, the DROWN attack test site, https://test.drownattack.com/ can be used. Whether you’ve been compromised or not, we suggest that you get yourself a good VPN ASAP