sslsd-logo
sslsd-logo

SSLv2 – The “Drown” Attack

Just recently there has been a lot of news regarding a vulnerability with SSLv2 (SSL2.0) and what has been named the Drown Attack. You will see articles saying “Drown Attack effects over 1/3 of the worlds websites, ” “No one is secure on the internet anymore,”  More than a Million sites effected!” etc.. the list goes on and on.

Allow me to calm some fears you may have..img17

Unless your have NOT touched your server system since 2011 then don’t worry. SSLv2 which was created back in 1995 was considered an obsolete protocol back in 2011, and more than likely you are not using it. Because the following…

  • Browsers such as Chrome have by default put a stop to the use of this protocol as default on their browsers since 2011.
  • You would have seen errors within your browser regarding the use of this the SSLv2 protocol running on the website, and would have turned this protocol off already.
  • Every couple of years a Digital Certificate gets updated on server systems that is part of encryption, and during this time you probably used a certificate checker to see if everything is ok. That SSL Checking tool more than likely told you that status of that server system and would have made you aware of SSLv2 being obsolete years ago.
  • If you are PCI compliant then you are not using SSLv2, or any SSL protocol for that matter.

The DROWN stands for Decrypting Rsa with Obsolete and Weakened eNcryption and it allows attackers to break the encryption enabling that hacker  to read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data.

On March 01, 2016, The United States Computer Emergency Readness Team (US-Cert) released this on their website. 

Network traffic encrypted using an RSA-based SSL certificate may be decrypted if enough SSLv2 handshake data can be collected. Exploitation of this vulnerability – referred to as DROWN in public reporting – may allow a remote attacker to obtain the private key of a server supporting SSLv2.

US-CERT encourages users and administrators to review Vulnerability Note VU#583776 and the US-CERT OpenSSL Current Activity for additional information and mitigation details.

So this really shouldn’t be news since SSLv2 was considered obsolete back in 2011. It was bound to happen sooner or later.

If you do happen to be effected by SSLv2 or would like to double check Qualys has an amazing SSL checking tool that goes deep into the health of a server system. localhost/ssl has a great article on how to use and read this checker featured here.  

More information can be found http://drownattack.com/

pan style=”font-weight: 400;”>Become a Partner and create additional revenue stream while the heavy lifting for you.

Recent Posts

S/MIME for Outlook O365 Windows

August 14, 2023

Add to Favorites S/MIME Advantages of S/MIME Certificates S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates offer several advantages when it comes to securing email communications. Here

Read More »

Abbreviations

May 22, 2023

Add to Favorites There are literally thousands of IT abbreviations out there. Many are concerned with the technical aspects of the computer, while others deal

Read More »

SSL Installation on Qmail

June 3, 2021

Add to Favorites SSL Installation on Qmail Qmail is a secure, reliable, efficient, simple message transfer agent. It is designed for typical Internet-connected UNIX hosts.

Read More »

Choose your SSL Plan

Basic Security Plan

Standard Security Plan

Enhanced Security Plan

Quick Support

About Us

CSR Generation Instructions

SSL Installation Instructions

SSL Glossary

SSL Brands

DigiCert SSL Certificates

GeoTrust SSL Certificates

Thawte SSL Certificates

RapidSSL Certificates

Sign up for Article Updates

Get latest updates related to PKI, SSL and Digital Security Delivered Directly to your inbox.

Facebook-f Linkedin-in Twitter
© 2024 Acmetek All Right Reserved. Legal Terms of Use | Privacy Policy