An OpenSSL vulnerability dubbed “DROWN” was discovered recently. It puts as many as 11 million websites that use OpenSSL HTTPS communications at risk, The Hacker News said Wednesday. Details on the DROWNAttack were also published on a website under the same name (DrownAttack.com), which explains the security vulnerability and provides a quick Q&A on the risks.
“DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security,” DrownAttack.com explained. Security researchers who discovered the vulnerability said that hackers could potentially attack a website in under a minute using a single computer provided they were vulnerable in the first place. But even computers that weren’t affected by a particular bug could be attacked in about 8 hours, researchers on DrownAttack.com said.
There’s good and bad news. The good news is that the researchers seem to be the first to realize the bug. The bad news is that now people know about it.
“We have no reason to believe that DROWN has been exploited in the wild prior to this disclosure,” the researchers explained. “Since the details of the vulnerability are now public, attackers may start exploiting it at any time, and we recommend taking the countermeasures explained above as soon as possible.”
Thankfully, DrownAttack.com describes several ways that websites can prevent attacks. “To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections,” the site explained. “This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS.”
Hit the source for more details on how to protect your site.