HTTPS is supposed to be secure, right? Of course, nothing on the internet is ever truly safe. This week, a new vulnerability in OpenSSL was uncovered, allowing hackers to access websites secured with SSLv2. Although this security protocol is out of date, over 11 million websites—1/3 of all HTTPS secured servers—are at risk.
Plenty of websites that store sensitive information like credit card details are vulnerable to DROWN, which is an acronym for Decrypting RSA with Obsolete and Weakened eNcryption. Websites can be hacked in just minutes using this attack vector.
SSLv2 and SSLv3 have since been replaced by SSLv4 or TLS1.2 due to the possibility of man in the middle attacks. TLS doesn't allow SSLv2 connections, but if your website security certificate is used anywhere else on the internet that does support SSLv2, you are still at risk. That means SMTP, IMAP, and POP e-mail servers, which are all very common, or specific instances of older HTTPS that may be tied to an application.
Check your website on the DROWN test site. A patch is already available, so be sure to patch your servers ASAP. As news of this vulnerability has spread quickly, hackers will be on the hunt for any vulnerable servers while the opportunity is still ripe.
From a Linux computer that has OpenSSL libraries installed, you can also run the following command, which instructs OpenSSL to connect to a server using the SSLv2 protocol. If you get an error as shown below, SSLv2 is disabled. If you get the certificate returned, SSLv2 is still installed.
$ openssl s_client -connect hostname:443 -ssl2 CONNECTED(00000003) 7668:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
OpenSSL users should upgrade to version 1.0.2g or 1.0.1s. If SSLv2 is still enabled on your server, you'll want to disable it. You can do so by following these instructions:
1) Open the registry for editing.
2) Open or create this path: Hkey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
3) Add "Enabled" as a DWORD value set to zero and reboot.
On Apache servers, open the httpd.conf file (this may be the ssl.conf file depending on your configuration). Use Putty SSH to login, then type:
You can also use WinSCP to open the file path with a text editor.
Edit the following and then restart:
SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
Information on other server software, the DROWN vulnerability, and full technical papers are available at https://drownattack.com/