Sign up for our newsletter
Technology / Cybersecurity

11 million HTTPS websites at risk of DROWN SSL vulnerability

A group of international researchers have outlined a vulnerability called DROWN, which was previously unknown, and could undermine the security of HTTPS.

The researchers say the attack is "a novel cross-protocol attack that can decrypt passively collected TLS sessions from up-to-date clients by using a server supporting SSLv2 as a Bleichenbacher RSA padding oracle."

The attack decrypts sensitive communications in just hours, and in some cases it can even be done almost immediately, at relatively low cost.

The researchers have compiled all their research on a website that accompanies the academic paper. On it they list many of the popular sites that are vulnerable. These include,,,, and

White papers from our partners

They say that attacks could intercept "any communication between users and the server". This could include data such as usernames and passwords and credit card numbers, as well as messages such as emails, instant messages, and sensitive documents.

The attack can be executed against communications protected by TLS relying on the RSA cryptography when SSLv2 exposes the key. The researchers "discovered multiple implementation flaws in commonly deployed OpenSSL versions that allow an extremely efficient and much more dangerous instantiation of this attack."

The international team worked with OpenSSL, after discovering the vulnerability to the cryptographic library, and an update to patch the flaw is on the way.

The version of HTTPS affected came out in 1995, and was declared dead less than a year ago. The vulnerability could leave millions of websites vulnerable to attack.

In the academic paper, the researchers said that "We found that 11.5 million (33%) HTTPS servers are vulnerable to our attacks, because many HTTPS servers that do not directly offer SSLv2 share RSA keys with other services that do."

Ivan Ristic of Qualys said: "The attack is an extension of the 1998 Bleichenbacher attack that can be used to decrypt a ciphertext when a padding oracle exists. For more information, I suggest that you read the original DROWN research, which is very interesting indeed.

"However, the bottom line is that one out of every 1,000 full TLS handshakes can be decrypted, leading to the compromise of the entire TLS session (potentially many connections of data)."

In their paper, having outlined practical attack scenarios in detail, the researchers say "we argue that modern practices of cryptographic protocol design do not include a systematic analysis to prevent direct message side channel Bleichenbacher attacks."

This underlines that the issue is due to the ongoing use of old cryptography tools. "The continued use of obsolete cryptography tools needs to stop," said Craig Young, Security Researcher at Tripwire.

"Earlier this year we learned how the SLOTH attack could compromise privacy of TLS, VPN, and SSH services when the obsolete SHA-1 or MD5 hashing algorithms were used. Now we are seeing a practical attack capable of extracting private keys out of servers running the completely broken SSLv2 protocol."

"Our work serves as yet another reminder of the importance of removing deprecated technologies before they become exploitable vulnerabilities," said the researchers.

The DROWN reserachers were from Tel Aviv University, Münster University of Applied Sciences, Ruhr University Bochum, the University of Pennsylvania, the Hashcat project, the University of Michigan, Two Sigma, Google, and the OpenSSL project.

Individuals involved in the project include Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar, and Yuval Shavitt.

This article is from the CBROnline archive: some formatting and images may not be present.