DROWN Attack Exposes SSL v2's Lingering Security Risk
A new vulnerability, dubbed DROWN, has been discovered in SSL v2, the first version of SSL released in 1995. This poses a significant security risk, as SSL v2 is still supported by many servers despite being declared dead less than a year after its release.
The DROWN attack, an extension of the 1998 Bleichenbacher attack, can decrypt one out of every 1,000 full TLS handshakes. It's easier to launch this attack on automated services due to session caching and lack of credentials. The best attack variant targets servers using vulnerable versions of OpenSSL, with a cost of $440 and 8 hours. However, this can be sped up by increasing expenditure.
Organizations or server operators not using the latest OpenSSL versions since March 2015 could have been affected. Up to 22% of servers could be impacted by the DROWN problem. The attack can exploit TLS, even if client devices or servers don't support SSL v2, if the same RSA key is used elsewhere.
Disabling SSL v2 on all servers is the straightforward remediation for the DROWN attack. This vulnerability underscores the importance of keeping systems up-to-date and using secure, modern protocols.
Read also:
- Web3 gaming platform, Pixelverse, debuts on Base and Farcaster networks
- Amazon customer duped over Nvidia RTX 5070 Ti purchase: shipped item replaced with suspicious white powder; PC hardware fan deceived, discovers salt instead of GPU core days after receiving defective RTX 5090.
- Infiltration of Estonian airspace by Russian military aircraft
- Cyber aggression intensifies by China-backed TA415 group, targeting Taiwan's semiconductor production and supply networks
