Remember last year’s “Heartbleed” scare? If you don’t, or if you need a refresher, Heartbleed was a flaw in the security of SSL, which is the technology employed by just about everyone on the web to make financial transactions secure. It is essentially the technology that makes people feel comfortable about conducting business on the web.
This year, another vulnerability in SSL has been found, this one called “DROWN,” which stands for Decrypting RSA with Obsolete and Weakened eNcryption. This attack can completely compromise SSL security, and is estimated to be able to impact more than 11 million sites on the internet, worldwide, so in terms of scope and scale, this is one to pay serious attention to. Combine that with the fact that this attack strikes at the very heart of financial transactions on the internet, and it’s easy to see why there’s cause for concern.
The good news is that even if this is the first you’re hearing about it, there’s already a fix in place. You can test your site to see if it’s vulnerable by going here: https://test.drownattack.com/ . If you’re on the list, additional action should be taken immediately.
Specifically, have your IT people install OpenSSL version 1.0.2g, if you’re not already using it. If you’re currently running version 1.0.1, you should upgrade to 1.0.1s.
Typically, internet-based attacks rely on a swarm of PC’s attacking a single point to bring the server down, but servers vulnerable to this bug have been brought down with a single PC attacking it. Even worse, they can often succeed in less than a minute.
As of the time this piece was written, some of the biggest named companies on the internet are vulnerable to DROWN attacks. If your site is on the list, it’s not really a question of if you’ll be hit, but when, this makes it imperative that you upgrade your OpenSSL immediately.