Drown bug in HTTPS puts 11 million websites at risk

A major flaw in the HTTPS protocol has been uncovered that may leave as many as 11 million websites at risk, as well as any other services that use SSL and TLS encryption.

The security protocols are widely used to encrypt web transactions and other highly sensitive traffic. HTTPS has also been increasingly deployed to protect people's browsing of ordinary websites in an era when more and more governments are engaging in large-scale web surveillance.

The flaw, dubbed Drown, could be used to access all kinds of sensitive information, the researchers explained in a detailed posting on a dedicated website.

"Drown allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets and financial data. Our measurements indicate that 33 percent of all HTTPS servers are vulnerable to the attack," wrote the researchers.

The research indicates that a quarter of top-level domains deploying HTTPS and a third of all sites are vulnerable.

The flaw centres on continuing legacy support for outdated cryptography by website operators.

"Due to misconfigurations, many servers also still support SSLv2, a 1990s-era predecessor to TLS," said the researchers.

"This support did not matter in practice, since no up-to-date clients actually use SSLv2. Therefore, even though SSLv2 is known to be badly insecure, until now merely supporting SSLv2 was not considered a security problem, because clients never used it.

"[But] Drown shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key."

A server is vulnerable to Drown if:

• It allows SSLv2 connections, which is surprisingly common owing to a combination of misconfiguration and inappropriate default settings. About 17 per cent of HTTPS servers still allow SSLv2 connections, according to the researchers.
• The server's private key is used on any other server that allows SSLv2 connections, even for another protocol. Many companies reuse the same certificate and key on their web and email servers, for instance. In this case, if the email server supports SSLv2 and the web server does not, an attacker can take advantage of the email server to break TLS connections to the web server. Taking key reuse into account, some 16 percent of HTTPS servers are also vulnerable, putting a third of HTTPS servers at risk.

"To protect against Drown, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS," advised the researchers.

The authors of the research are based in universities across three continents and have produced a full technical paper explaining the flaw (PDF).

To hear more about security challenges, the threats they pose and how to combat them, sign up for Computing's Enterprise Security and Risk Management conference on 24 November.

• Tweet  
• Facebook  
•  
•  
• Save this article  
• Send to  

• Topics
• Security
• Servers
• Web
• encryption