A Third of All HTTPS Websites Vulnerable To DROWN Attack

An anonymous reader writes: The OpenSSL project has released versions 1.0.2g and 1.0.1s to address a high severity security issue known as the DROWN attack (CVE-2016-0800) which allows attackers to break HTTPS and steal encrypted information. In layman terms, the attack uses an improperly patched issue (from 1998) in SSL to attack websites using the more modern TLS protocol. Servers where admins use SSL and TLS are in danger. Additionally, servers where only TLS is used, but the admins are sharing the same certificate for other servers where they have SSL, are also vulnerable, since the attack targets RSA, employed in both SSL and TLS. The entire attack is also easy to carry out, costing only $440 on Amazon EC2.

The name

[s_p_oneil]

The name "DROWN" probably has something to do with how admins feel about using OpenSSL by now (or perhaps what they think should be done to it, or both). It goes well with names like heart-bleed.

Re:The name

It's actually an acronym(-ish) for Decrypting RSA with Obsolete and Weakened eNcryption.

It also lends itself to the term "my server got dr0wned".

Re:The name

As we saw with Heartbleed, is it now a requirement that every vulnerability have its own logo? I didn't know that security teams needed to hire graphic artists.

Re:The name

Looks like they took a page out of Congress's book with the ridiculous acronyms.

Wow, really?

[gstoddart]

the attack uses an improperly patched issue (from 1998)

So I take it this is an issue which hasn't been properly fixed by vendors and nobody is using web servers from 1998?

This sounds more like badly written software than bad admin practices. How the heck are you supposed to prevent that?

Re:Wow, really?

Use open source software. OSS has had years if not decades of eyeballs scouring it for vulnerabilities. While occasionally something still gets found, it is not typically severe and is quickly patched.

Re:Wow, really?

[geekmux]

...This sounds more like badly written software than bad admin practices. How the heck are you supposed to prevent that?

Prevent?

Microsoft is still in business today. That should tell you something about prevention.

Re:Wow, really?

the attack uses an improperly patched issue (from 1998)

So I take it this is an issue which hasn't been properly fixed by vendors and nobody is using web servers from 1998?

This sounds more like badly written software than bad admin practices. How the heck are you supposed to prevent that?

<SARCASM>

You can use open source, where many eyes make all bugs shallow.

</SARCASM>

Re: Wow, really?

Like OpenSSL?

Re:Wow, really?

I hope this is being sarcastic.

Re:Wow, really?

To be fair, the described attack requires resources that haven't been available to the majority of the world until very recently. Had you managed to sit on this zero-day for twenty years, and you'd started the computations listed on consumer-grade equipment in the late 90s, you might be halfway done by now. Bottom line is, now that datacenter-level resources are becoming available to any script kiddie with a credit card, you're going to see a lot more of this kind of attack, regardless of the source.

Re: Wow, really?

Like OpenSSL, or do you suggest your 1998 era Netscape HTTP server still receives patches as issues are found?

Re: Wow, really?

the point is that the patch in 1998 was bad and nobidy has noticed that until 2016 and that patch is part of all opensll installs

Re: Wow, really?

You want to point at any non-trivial software that don't contain any bugs, or rather, that will never ever contain any bugs?

Re: Wow, really?

LibreSSL is more robust and is a lean version of OpenSSL.

Re: Wow, really?

[Billly+Gates]

LibreSSL is more robust and is a lean version of OpenSSL.

LibreSSL is vulnerable as well since it is an design flaw of SSLv2 more than a product defect.

Re: Wow, really?

[omnichad]

And was forked from OpenSSL long after this bug was in the codebase.

Re: Wow, really?

Um, LibreSSL removed SSLv2, so no. It is not vulnerable.

http://undeadly.org/cgi?action=article&sid=20160301141941&mode=expanded

Re:Wow, really?

[AchilleTalon]

I don't see how it relies on badly written software rather than bad sysadmin practices. The exploit need both TLS and SSLv2 configured on the server. These days, if someone has SSLv2 active on his/her website, you can call it a bad sysadmin practice for sure. Anyone with SSLv2/SSLv3 active on his/her website deserve to be kicked in the butt. And a third of the sysadmins deserve exactly that.

Re: Wow, really?

And the code that this vulnerability uses has been removed when they removed SSLv2 support.

Re: Wow, really?

[mnemotronic]

Gish Gallop!

Re: Wow, really?

OpenSSL was "patched". The result is LibreSSL.

Hiawatha

[Aethedor]

So glad that I'm using a webserver that does NOT use this abomination called OpenSSL and was writting with security in mind. Drown, Heartbleed, Slowloris, etc, never caused me any trouble.

Re:Hiawatha

[robmv]

It is not an OpenSSL exclusive problem, Is a protocol one. If you have SSLv2 enabled, you are vulnerable

Re:Hiawatha

[Aethedor]

Sure, but that's how mbed TLS (former PolarSSL, the TLS library used in Hiawatha) and Hiawatha helped me. mbed TLS dropped support for it long ago and Hiawatha uses sane and secure default settings. Without any tweaking, it gives you an A rating at ssllabs.com.

Re:Hiawatha

[WaffleMonster]

So glad that I'm using a webserver that does NOT use this abomination called OpenSSL

It uses the abomination called PolarSSL with its own history of exploitable vulnerabilities.

and was writting with security in mind

Using naÃve heuristics to defend against SQLi and XSS demonstrates the opposite.

Drown, Heartbleed, Slowloris, etc, never caused me any trouble.

Whose fault is allowing SSLv2 and export ciphers in 2016? All those poor site operators... OpenSSL made me do it!!

--
https://technet.microsoft.com/...

Re:Hiawatha

[DigitalSorceress]

Thanks... good to know. I really need to get off OpenSSL - go with one of the leaner distributions... we all do.

Re:Hiawatha

Like if you use... say... Windows Server 2003, for example.

Re:Hiawatha

Slowlorus has nothing to do with SSL or OpenSSL. It has to do with the threading model of the web server. But that wasn't the stupidest thing you said in your post.

CAPTCHA: dumbest

Re:Hiawatha

[BuGless]

It uses the abomination called PolarSSL with its own history of exploitable vulnerabilities.

True, but genetic diversity in this case is what can save your bacon. Organisms have been doing it for ages.

and was writting with security in mind

Using naive heuristics to defend against SQLi and XSS demonstrates the opposite.

Well, the Hiawatha project is notoriously bad at PR, nevertheless, it's open source, and there are multiple people scrutinising the code. But if you ignore those toy-like security kludges and the over-the-top claims of security, it turns out to be a rather solid platform.

Re:Hiawatha

[Carewolf]

Sure, but that's how mbed TLS (former PolarSSL, the TLS library used in Hiawatha) and Hiawatha helped me. mbed TLS dropped support for it long ago and Hiawatha uses sane and secure default settings. Without any tweaking, it gives you an A rating at ssllabs.com.

OpenSSL also disables SSLv2 by default. The problem is that some people apparently overrides the safe defaults.

Re:Hiawatha

[Aethedor]

Why do you think it has notoriously bad PR? What do other webserver projects do what Hiawatha doesn't?

Yes, the author himself has said that many security features are/were experimental, but why do you think it has toy-like security kludges and over-the-top claims? I found many of its security features very useful.

Disable SSLv2

[bill_mcgonigle]

It seems to say that if you have SSLv2 enabled on any service with your keys, you're vulnerable. Otherwise, not. A quarter of admins don't seem to know how to disable it.

Re:Disable SSLv2

If you hadn't disabled SSLv2 you already has a shitton of issues related to TLS anyways. Hell you were supposed to have disabled SSLv3 a few vulnerabilities ago anyways..

Re:Disable SSLv2

[xxxJonBoyxxx]

>> A quarter of admins don't seem to know how to disable it.

In many cases, the problem is "downstream" of the admins originally tasked with disabling it. E.g., Original website gets locked down with TLS only, but then a proxy/CDN/accelerator project comes along and "front-ends" some or all of the HTTPS services/content, and the new HTTPS-serving service isn't locked down and could even be invisible to the admins in charge of the original web application boxes. (Yes, I've seen this happen before both as a developer and a pentester.)

Re:Disable SSLv2

[guruevi]

The default in most packages (I'm talking Exchange, IIS, Apache, nginx, Postfix, Dovecot, ...) is that it is enabled. The problem is that disabling it could break a lot of clients, especially those on Windows XP, IE6 or older versions of Java.

Re:Disable SSLv2

The problem is that disabling it could break a lot of clients, especially those on Windows XP, IE6 or older versions of Java.

Aren't those clients by definition broken already?

Re:Disable SSLv2

[Billly+Gates]

The default in most packages (I'm talking Exchange, IIS, Apache, nginx, Postfix, Dovecot, ...) is that it is enabled. The problem is that disabling it could break a lot of clients, especially those on Windows XP, IE6 or older versions of Java.

Which is why I want to strangle slashdotters who claim anything after XP is for the sake of change and that old software is the best thing since sliced bread.

System admins get the horde of the hostily more than the helpdesk folks. It is their fault for being hacked, yet users and management never want to upgrade or spend any money because it works just fine. Meanwhile if something is hacked or breaks it is on the system admin for not fixing it even though management didn't follow their own procedures

Re:Disable SSLv2

[omnichad]

SSLv3? TLS 1.0 is no longer even PCI compliant due to vulnerabilities.

Re:Disable SSLv2

[codealot]

You're confusing it with SSLv3, which was still used by Win XP, IE6, Java 6, ancient Androids maybe. I can't think of anything that depends on SSLv2 and would be in common use today.

SSLv2 has been obsolete for decades. Both should be turned off--the bare minimum for secure sites is TLS v1.0, and PCI DSS requires all older protocols to be disabled, if you need such certifications.

Re:Disable SSLv2

[Dogers]

On Windows since at least 2008R2, SSLv2 is explicitly disabled by default..

Re:Disable SSLv2

[Carewolf]

No, that would be SSLv3. SSLv2 was deprecated in 1998 - 18 years ago, we had years of downgrade attacks like this before it became standard practice to drow all SSLv2 support, and that is already some 10 years ago. Unless you need to support crap from the 1990s that havne't been updated, you have no excuse for support SSLv2, and if you need to support that old crap, you really should have it on a secure intranet.

Re:Disable SSLv2

[AnthonySimpson]

SSLv3 is vulnerable to the POODLE attack and other attacks. It doesn't seem like any version of SSL is truly safe. What are the alternatives? Documentation on SSL3 vulnerabilities- https://isc.sans.edu/forums/di...

Re:Disable SSLv2

How exactly is SSLv2 enabled by default in Apache and nginx? They both require admins to create config files specifying what protocols to use. Yes, there are distro's and tools out there that come with pre-rolled HTTPS configs but they're not apache or nginx defaults.

Re:Disable SSLv2

Bullshit

nginx doesn't enable any SSL/TLS by default. You have to explicitly turn on what you want. Ditto for postfix and dovecot.

Dumbass

Re:Disable SSLv2

[jrumney]

The default in Apache is not to have an https server set up at all. The instructions I followed 3 years ago for enabling it had SSLv2 and SSLv3 disabled (I just checked my config, and it was already disabled), so maybe these third of all websites are following some guys blog instead of the vendors documentation.

Re:Disable SSLv2

No web server has SSLv2 enabled by default. It's been dead for years. Any site running SSLv2 has a willful disregard for the security of their site and their users.

Re:Disable SSLv2

TLS. Use it.

Re:Disable SSLv2

[guruevi]

If you don't explicitly disable it, it will be enabled. Yes, the defaults is to not have SSL, but this is the documentation
https://httpd.apache.org/docs/...
This page doesn't even make mention of the SSLProtocol directive.

Re:Disable SSLv2

[guruevi]

Well, if you want to enable SSL, you go to the documentation right? NEITHER Apache 2.4 nor nginx documentation mention the SSL Protocol directives on their pages or any warning about why you should disable them. Vendor defaults (I just went through it on Ubuntu LTS) do have commented out SSL directives for Postfix/Dovecot but do not have any warning nor SSL protocols disabled.

Re:Disable SSLv2

[jrumney]

You are looking at the documentation for Apache 2.4, which does not even support SSLv2.

about time

Hey Slashdot, nice to get this posted on your "News for nerds" site.

Re:about time

Surprisingly, an older mod selected it for the frontpage :)))

Is anyone still using ssl?

My websites are using TLS only. Ssl is one huge security hole.

[REDUNDANT]

[darkain]

[REDUNDANT]

Good thing /. isn't vulnerable at all, thanks to its lack of HTTPS support!

Re:[REDUNDANT]

[bigdady92]

please someone mod this +5 Winning or something.

Re:[REDUNDANT]

We had some guys at work (Windows admin team) say something similar, only they weren't joking. This is at the point in time where Windows2000 was mainstream and Service Pack 4 was considered pretty much baseline. SP4 was a pre-req for many patches and updates. One of the teams said we are just staying on SP2, that way we aren't vulnerable to any of those issues that require SP4 as a pre-req.

LibreSSL not affected by DROWN attack

http://undeadly.org/cgi?action=article&sid=20160301141941&mode=expanded&count=1

Re:LibreSSL not affected by DROWN attack

[guruevi]

Obviously because it doesn't support SSLv2.

The problem is not in the library but in the protocol, the reason people continue to use OpenSSL is BECAUSE it supports all sorts of SSL versions and thus more flexible to use than any other OpenSSL-wannabe-dropin.

This OpenSSL version however breaks stuff by disabling it by default and changing the API when you DO want to use it; given that the only applications that would use it are ancient, I doubt there would be any fixes for those applications to use the new API. This is a protocol issue, not a library issue, leave the API's intact, throw up a giant warning and let people manage their own security. Now what will happen is that people requiring SSLv2 support (for whatever reason) will probably revert to older versions of the library that have bigger issues than SSLv2 support.

Seriously....

Who doesn't disable SSLv2 these days? You can't pass a PCI audit with SSLv2 enabled and with SSLv2/v3 disabled I can't support IE6 running on Windows XP but that's about it, anyone else I can support just fine. Why on earth would anyone SSLv2 and SSLv3 still be enabled, other than to support legacy code someone is too lazy to update?

The track record

Of many eyes seeing the code and fixing bugs/vulnerabilities is getting pretty bad.

Re: The track record

Well, they did fix it.

Amazon EC2, tool of terror

Only $440 to hack into one of these prominent websites?

When will Congress outlaw this terrorist-enabling service called Amazon EC2? It's an outrage that Amazon provides such computing power to those who seek to harm America. Imagine the damage a terrorist could do, for less than the cost of an airline ticket! This EC2 cyber terror platform is available to anyone, by an American company to boot, talk about treason. They don't even conduct background checks on the people who purchase this service! Someone from ISIL could easily sign up and begin hacking American targets.

When will the FBI demand Amazon EC2 shuts down?

Re:Amazon EC2, tool of terror

[avandesande]

It's a stupid thing to quote- I am sure Amazon or any other hosting provider keeps very good logs about user activity and would quickly hand your information over to feds if asked. So it really isn't that cheap- either you need to steal access to such machines or buy them.

Astonished

[operagost]

Absolutely astonished that anyone has SSL v2 enabled. You can pick any modern security standard (like PCI DSS or SSAE16) and it reads something like, "disable all obsolete or vulnerable protocols". I mean, I haven't had SSL v3 enabled on anything I'm responsible for since 2010.

Re:Astonished

SSL V3 is vulnerable to the POODLE attach, in which it was recommended to go back to SSL V2 and add more bit encryption, and a stronger cipher for encryption.

Re:Astonished

[operagost]

I'm not familiar with that approach. Ours was to require TLS 1.0. In situations where TLS wasn't supported, we used SSL 3.0 with CBC ciphers disabled. Of course, this worked for about 6 months before someone discovered that RC4 was vulnerable...

Your ignorance is showing.

So glad that I'm using a webserver that does NOT use this abomination called OpenSSL and was writting with security in mind. Drown, Heartbleed, Slowloris, etc, never caused me any trouble.

This flaw, which is common to all SSLv2 implementations, was discovered and proven with help from the OpenSSL team. So tell me how horrible OpenSSL is again?

Incidentally, none of my servers (many of which use OpenSSL) were vulnerable to DROWN because SSLv2 has been turned off on all of them for years.

There's nothing wrong with applauding your own favorite webserver, but when you attack a mature crypto library, you need to get your facts straight. Personally I am less likely to consider Hiawatha if it's beloved by ignorant people....

Re:Your ignorance is showing.

[Aethedor]

Personally I am less likely to consider Hiawatha if it's beloved by ignorant people....

Speaking of ignorance...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Ha ha, no worries

[JustAnotherOldGuy]

Ha ha, no worries here, I don't use SSL on my sites!

Oh, wait...