We're Hiring!
Take the next step in your career and work on diverse technology projects with cross-functional teams.
LEARN MORE
Mountain West Farm Bureau Insurance
office workers empowered by business technology solutions
BLOG
3
3
2016
3.1.2023

Don't DROWN: Check Your Servers for HTTPS Vulnerability

Last updated:
9.16.2020
3.1.2023
No items found.

HTTPS is supposed to be secure, right? Of course, nothing on the internet is ever truly safe. This week, a new vulnerability in OpenSSL was uncovered, allowing hackers to access websites secured with SSLv2. Although this security protocol is out of date, over 11 million websites—1/3 of all HTTPS secured servers—are at risk.

Plenty of websites that store sensitive information like credit card details are vulnerable to DROWN, which is an acronym for Decrypting RSA with Obsolete and Weakened eNcryption. Websites can be hacked in just minutes using this attack vector.

SSLv2 and SSLv3 have since been replaced by SSLv4 or TLS1.2 due to the possibility of man in the middle attacks. TLS doesn't allow SSLv2 connections, but if your website security certificate is used anywhere else on the internet that does support SSLv2, you are still at risk. That means SMTP, IMAP, and POP e-mail servers, which are all very common, or specific instances of older HTTPS that may be tied to an application.

DROWN diagram from https://drownattack.com/

How do I know if I'm vulnerable?

Check your website on the DROWN test site. A patch is already available, so be sure to patch your servers ASAP. As news of this vulnerability has spread quickly, hackers will be on the hunt for any vulnerable servers while the opportunity is still ripe.

From a Linux computer that has OpenSSL libraries installed, you can also run the following command, which instructs OpenSSL to connect to a server using the SSLv2 protocol. If you get an error as shown below, SSLv2 is disabled. If you get the certificate returned, SSLv2 is still installed.

$ openssl s_client -connect hostname:443 -ssl2 CONNECTED(00000003) 7668:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

OpenSSL users should upgrade to version 1.0.2g or 1.0.1s. If SSLv2 is still enabled on your server, you'll want to disable it. You can do so by following these instructions:

Microsoft IIS

1) Open the registry for editing.

2) Open or create this path: Hkey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server

3) Add "Enabled" as a DWORD value set to zero and reboot.

Apache

On Apache servers, open the httpd.conf file (this may be the ssl.conf file depending on your configuration). Use Putty SSH to login, then type:

su -

then

vi /etc/httpd/conf/httpd.conf

You can also use WinSCP to open the file path with a text editor.

Edit the following and then restart:
SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
 

Information on other server software, the DROWN vulnerability, and full technical papers are available at https://drownattack.com/

Recent Blog Posts

lunavi logo alternate white and yellow
3.27.2024
03
.
27
.
2024
Utilizing Bicep Parameter Files with ALZ-Bicep

Ready to achieve more efficient Azure Deployments? You can use Bicep parameters instead of JSON which opens new opportunities for deployment. Let Lunavi expert, Joe Thompson, show you how.

Learn more
lunavi logo alternate white and yellow
3.26.2024
03
.
04
.
2024
Anticipating Surges in Cyber Attacks and Bolstering Your InfoSec Defenses in 2024

Learn how to navigate 2024 with the right InfoSec defenses to protect your organization against a rising number of cyber attacks.

Learn more
lunavi logo alternate white and yellow
3.26.2024
01
.
03
.
2024
Microsoft Copilot is Re-Shaping the Innovation Frontier

Microsoft 365 Copilot has been released, and it's changing the way we work. More than OpenAI or ChatGPT, read how Copilot can seamlessly integrate with your workflow.

Learn more