Drown attack is a latest fault that reduces confidence in TLS and SSL encryption. It cracks TLS security protocol to gain access to many HTTPS based websites. Now a days its necessary to control the unwanted traffic between the end user and the server. Securing TLS privacy aspects and data integrity is important. Lets know more about DROWN Attacks and mitigation practices to fight against them.
DROWN Attacks :
DROWN (Decrypting RSA using Obsolete and Weakened encryption) Across-protocol security Bug attacks on Servers TLS protocol suites . This allows the attackers to steal the information shared on secured connections. All type of servers can be affected by this, who offer secured services with TLS(transfer layer security) and supports SSLv2 and allows to share same public key credentials between two protocols. If many servers using same credentials that supports SSLv2, leads to spread the key information against the TLS Server.
Research shows that 17% of HTTPS-protected servers are unsafe and key to attack. SSLv2 is not only risk but also actively harmful to the TLS Environment. Here the attacks first decrypt one TLS session, by capturing 1000’s of TLS sessions using RSA ciphertext, where server secret keys are exchanged online by encrypting secret key with intended recipient’s public key.
For an instance, An HTTPS server which doesn’t support SSLv2 is unsafe because it shares public key with SMTP that supports SSLv2. Now attackers easily break the TLS session by taking advantages of this situation.
DROWN Attack mitigation steps :
In March 2016, DROWN came into picture . Named as CVE-2016-0800 with the patch that disables SSLv2 in OpenSSL, This patch is just not enough to mitigate the attack.
- Experts of network security services cryptographic library, disabled the SSLv2 by default to all protocols.
- For all SSLv2 supported versions of IIS and web servers that uses Apache httpd2.4.x will not be key to this vulnerability, because the SSLV2 has been disabled for them.
- A network administrator need to make sure that the user’s private key are not being reused on any web servers, SMTP servers, IMAP /POP servers, and unmanaged Software that allows SSLv2.
- Administrator need to check all SSLv2 connections appearing through DROWN attack websites. This can be done by checking the website validation form which depicts whether server will be attempted to attack. A Threat detecting device will now filter the traffic and use different RSA private key unique from any servers or devices.
- A Security Team need to be aware of all new network vulnerabilities and unauthorized access from cloud services. New encryption algorithm and network protocols need to be tested frequently. It will be easy for a patch management team to use up-to date software and asset inventory to locate the affected services or devices.
VPS9 Networks provide Complete management support with Highly configured Managed VPS hosting. Basic security constraints are setup by default to avoid such issues. Managed VPS comes with Free cPanel Access through which you can monitor website traffic and take necessary actions. Know more about managed VPS hosting services.