DROWN Attack - Using SSL Best Practices to Stay Afloat in an Uncertain Environment

Researchers recently discovered that SSL 2.0 is vulnerable to a cross-protocol attack known as DROWN.  Attacks like these keep IT professionals alert to the fact that their IT environments must be optimized and checked regularly to assure that their servers are configured according to recommended Best Practices to provide the best possible defense against known SSL threats. 

The DROWN Exploit
This vulnerability with SSL 2.0 is called Decrypting RSA with Obsolete and Weakened eNcryption; otherwise known as DROWN.  DROWN exploits the conflict between minimum privileges and backwards compatibility. SSL 2.0 is a version of the SSL/TLS security protocols. It was released in February 1995, but due to security flaws was superseded by SSL 3.0 in 1996.  Although SSL 2.0 was never secure and should only have been deployed for about a year, it was kept in products as a fallback protocol to support SSL 2.0 based clients.  The IETF provided little guidance for removing support for obsolete protocols and algorithms from Web component implementations until RFC6176 in 2011. 

DROWN and Server Vulnerability
DROWN is a cross-protocol attack where the bugs in SSL 2.0 can be used to attack the security of connections that use TLS. This vulnerability applies to servers:

  • Configured to use SSL 2.0
  • Some versions of OpenSSL with SSL 2.0 disabled even with all SSL 2.0 cipher suites removed
  • Servers using the same key as another server meeting one of the previous two criteria

The DROWN Attack Plan
A DROWN attack would not require the browser client to make an SSL 2.0 connection. DROWN is also not a protocol downgrade attack. As such, mitigations that commonly work against those types of attack are ineffective. The DROWN vulnerability is based on the Bleichenbacher attack from 1998. DROWN also takes advantage of SSL 2.0’s weak anti-Bleichenbacher countermeasure and weak export ciphers. The attack can be performed in about 8 hours for a cost of about $440 on Amazon EC2.

Determining a DROWN Attack
Server Administrators can take several steps to identify if their servers have been exploited by DROWN as well as optimize their servers to prevent a DROWN attack.  DROWN researchers provide a test that will check if the corresponding server appears to be vulnerable. Entrust’s SSL Server Test may also provide information, but that test is still experimental.

Preventing a DROWN Attack
Best practices for SSL/TLS establish that server administrators take the following steps to mitigate a DROWN attack:

  • Do not support SSL 2.0; you should also not support SSL 3.0.
  • OpenSSL users should upgrade 1.0.2 to version 1.0.2g and 1.0.1 to version 1.0.1s.
  • Do not use the same keys on different servers; this applies even if the certificates are different.
  • Run a tool like Entrust’s SSL Server Test to scan your servers to see if they are properly configured for SSL.
  • Research tools and documentation like the ones available at Entrust Best Practices site that guide you on best practices for preventing or mitigating common threats.  
  • Leverage a reporting engine like the one in Entrust Cloud that proactively notify you of security weaknesses associated with SSL certificate installation and provides the tools to fix them.

Legacy products that handle protocol and algorithm agility poorly still remain.  The best way to mitigate security vulnerabilities associated with SSL on your web servers is to configure them using best practices for SSL. Entrust is the Certification Authority most recognized for providing education and the essential tools necessary to reduce vulnerabilities associated with SSL so that organizations can maintain business continuity. 

To learn more about best practices for SSL please contact Mathew Simupande to request a copy of the datasheet- mathew.simupande@mpa.co.nz.

 

Latest Security Problems Solved

Privileged Password Management - Pitfalls to consider More >
SIEM matures, however landscape changes. More >
What Does It Take To Lower Your Mobile Cost Of Ownership? More >
2014: The Year Encryption Comes of Age More >
Our Solutions
Security Solutions

We work with leaders in the fields of data protection, authentication and perimeter security to protect your organisation and manage any threats with the most effective security systems. More >

Technical Services

MPA New Zealand Ltd provides a range of technical services to compliment the vendor technology our company brings to the local market. More >