Security going under with DROWN

Digital security remains a hot topic. This makes sense. Everything nowadays is done via the Internet: e-mail, messaging and telephony, shopping, banking, taxes and more. Therefore, it is important that all connections which send sensitive information are properly secured. Recently, a serious vulnerability named DROWN has come to light which has serious implications for this security.

Brief summary of DROWN

DROWNConnections are usually protected with a certificate. When you visit a secure website (like this one), it will be marked by a green lock icon in the address bar of your browser. When something is wrong with the certificate or the connection, the browser will display a warning and show no green lock icon. With DROWN is not the case.

If a server supports the old encryption protocol SSLv2, it is possible to immitate the installed certificate by using DROWN. This allows attackers to break in on the connection and eavesdrop on all information that passes through.

If the same certificate is used for multiple services (potentially on multiple servers), these are also vulnerable, even if SSL v2 is not enabled there. This makes DROWN very dangerous.

Am I vulnerable to DROWN?

Om deze vraag te beantwoorden, moeten we uw internetaanwezigheid in twee groepen splitsen:

  1. The role of user → you are using a secured service provided by another party
  2. The role of provider → you have one or more servers where secure services are offered

In the role of a user you are totally dependent on the server side. There is no protection possible from your side. Fortunately, most major parties have already taken action. If you do not trust such a party enough yet need to send confidential information, you can check the Internet address on the website which has been created especially for DROWN.

In the role of a provider, you are responsible to resolve this vulnerability. No worries! All services on your 1A-server(s) and web hosting at 1A has been secured soon after the publication of the details on DROWN. It could be that your company offers more services on the Internet which are not managed by 1A. If the same certificate is used which is also used on the 1A-server, we can not guarantee the security of the connections therewith. Of course, you can check whether you have to take action yourself by checking the Internet address.

Do I need to purchase a new certificate?

No, with DROWN the private key of your certificate can not be stolen. Because of this, only the connections are vulnerable and not your certificate.

More information about DROWN:


Richard de Vroede

A perfectionistic Jack-of-all-trades who dedicates all of his passion to his work.