Newly Discovered DROWN Vulnerability Allows Attackers to Decrypt Information

A recent vulnerability involving the handling of SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates dubbed as DROWN, has been discovered by researchers. DROWN stands for “Decrypting RSA with Obsolete and Weakened eNcryption.” Attackers probing for vulnerable servers affected by the DROWN vulnerability can force certain web servers to use an older, insecure version of SSL/TLS, resulting in weak encryption that is easily decrypted by an attacker. DROWN was discovered by a team of researchers from Tel Aviv University, Münster University of Applied Sciences, the Horst Görtz Institute for IT security, Ruhr University Bochum, the University of Pennsylvania, the Hashcat Project, the University of Michigan, and the OpenSSL project.

One of the purposes of Secure Socket Layer (SSL) certificates is to indicate secure, encrypted connections between personal devices and websites. This new vulnerability can allow attackers to decrypt encrypted data being sent between devices and a server via what is called a man-in-the-middle (MITM) attack. In MITM attacks, the attacker is monitoring the connection to these websites. Data is sent from point A (computer) to point B (server/website), and an attacker can get in-between these transmissions, and nab the data being sent. The saving grace with these types of attacks is that the information (when being submitted via a website using SSL/TLS) is encrypted while it is in transit. The attacker can gain access to it, however they cannot see what the data actually is. In the case of DROWN, the encryption is very weak and attackers can easily decrypt the data once they have obtained it through a MITM attack.

Encryption can secure just about everything under the sun, from email services, online shopping sites, online banking sessions and more. As a result of this vulnerability, attackers can decrypt personal and financial information such as log in credentials, credit card information, and any other data they can get their hands on.

The researchers stated that about a third of all computer servers using the HTTPS protocol were vulnerable to these so-called DROWN attacks. This amounts to an estimated 11 million servers, most of which host websites or email services. 

 

How to Protect Yourself from this Threat

While no evidence has emerged that DROWN has been exploited in the wild to date, it is now only a matter of time before attackers attempt to find and exploit unpatched systems.

Add Extra Security to the Sites you Visit:

Use a Virtual Private Network (VPN) when using unsecured and public Wi-Fi:
VPN software sets up an encrypted data connection in between your computer and a remote server. Encryption is a way of protecting personal data, sort of like a “secret code,” so that it cannot be read by anyone who doesn’t have the code key. This blocks any attempts by hackers, malware or any other threat from accessing that data and eavesdropping, stealing information, and even performing a MITM attack.

Enable two-step authentication on websites that offer it:
This will add an extra layer of security to your account by requiring you to provide something you know (your password) and something you have (such as your phone or a fingerprint).

Keep an eye on your sensitive online accounts:
It’s always a good practice to do this anyway, but particularly now, pay special attention to online accounts (banks, email etc), as well as bank and credit card statements to check for any unusual transactions.

Be especially on the look out for scams:
Popular current event and news stories are music to scammers’ ears. Since there are a multitude of stories about these events flying around the Internet, scammers are looking to capitalize on the popularity of the story. Be on the lookout for unsolicited emails, instant messages, and even text messages about this threat. If you ever get a notice to change your password- do NOT click on the link in the message. Instead, visit the website directly by typing the known address into your URL bar in your browser.

 

According to the official DROWN website, “there is nothing practical that web browsers or other client software can do to prevent DROWN. Only server operators are able to take action to protect against the attack.”  You can also check their page that lists examples of websites susceptible to this vulnerability here.