Scribd Logo
Upload

Welcome to Scribd!

  • Drown Attack

    Uploaded by

    vignesh
    59 views3 pages
    ATTACK

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    ATTACK

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    59 views3 pages

    Drown Attack

    Uploaded by

    vignesh
    ATTACK

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    DROWN ATTACK

    Drown stands for Decrypting RSA with Obsolete and Weekend Encryption. It is a cross protocol
    security bug that mainly attacks on servers supporting modern TLS protocol suites. Drown can affects
    all types of servers that offer services same public key credentials between the two protocols. Even if
    the same public key certificate is used on a different server that supports SSLV2, TLS server is also
    vulnerable because of SSLV2 that leaks key information that can be used against TLS server.

    The world came to know about drown in March 2016 along with patch that disable SSLV2 in open
    SSL.

    According to the survey, the exploit cant be fixed by making changes to the clients software such as
    web browser.

    By the usage of SSLV2 server named Bleichenbacher oracle, the chosen .attack is
    exploited.

    TLS connections in normal mode

    Hacker reads the TLS connection


    Victim client
    Victim server that supports SSL v2

    Attacker launches Malicious SSL V2 into the ser

    Attacker

    Why should we care for TLS and SSLV2:

    Transport layer security is one of the most important security protocols on the internet. The user
    should care about TLS because every transaction we conduct on the internet relies on TLS (V1.0, 1.1,
    1.2).

    Basics:

    Drown attack affect HTTPS and other services that rely on SSL and TLS protocols. Attackers uses
    this attack to break the encryption that are protected by the user for securing the data. If the
    encryption was broken, the hacker can steal the data sensitive information (eg: Password, Financial
    data and Emails). It is known that 22% of servers are vulnerable to this attack. This attack is
    susceptible only if the website, mail server and other services that rely on TLS.

    To known if the website/mail server uses SSLV2, use tools such as DigicertRSSL installation
    Dignotics tool. To check all the server in our network. Uses SSLV2 use tools like DigicertR certificate
    Inspector.

    Mitigatins the DROWN ATTACK:

    OPEN SSL: If we are using open SSL, first we need to upgrade to the latest version.
    Microsoft IIS: If we are using IIS, we need to disable SSLV2 by default and another notable
    thing is to upgrade to the newest version.
    Network Security Services (NSS): Disable SSLV2 by default. We manually enabled support
    for SSLV2, go back to that setting and disable it.
    Apache, Nginx: If the server is supported by SSLV2, disable them.

    Who is vulnerable:

    Websites, mail servers and other TLS dependent services, many popular websites are vulnerable to
    their attack.

    To known / measure what are the sites that are vulnerable, use Internet Wide scan.

    Vulnerable at disclosure () Still vulnerable ()


    (Https): Top million domains 25% 15%
    (Https): All browser trusted 22% 16%
    sites
    (Https): All Sites 33% 28%

    Is my site vulnerable:

    Most of the modern servers and clients uses TLS encryption protocol. Due to mis-configuration, many
    servers supports support SSLV2. DROWN shows that servers that support SSLV2 is a threat to mern
    servers and clients. This allows the hacker to decrypt the TLS connection between client and server by
    sending probes to the servers that uses same private key.

    A server is vulnerable if:

    1. It allows SSLV2 connections. 17% of measurements shows that http servers still allows
    SSLV2 connections.
    2. If the private key is used by any other server that uses SSLV2 connections. For eg: many
    organization uses the same certificate and key on their web. In some cases, the email server
    supports SSLV2 and not web server. This is one of the main advantage for hackers to break
    the TLS connection to web server.

    How to protect:

    First thing to protect is that the server operator need to ensure their private key cannot be used
    anywhere. Disable SSLV2 this seems to be complicated for various server.
    Does DROWN compromise my private key:

    DROWN attack targets mainly on an individual session not on the servers key. Even if there is an
    DROWN attack, we no need to regenerate our private key alternatively identify all the services that
    share this key and disable SSLV2.

    How DROWN works:

    The researches found that DROWN works by combining the brute force decryption technique with
    Bleichenbacher padding oracle for decryptions the TLS connection.

    The user is at risk by which the server allows SSLV2 connection (or) private key used by another
    server is vulnerable to DROWN attack.

    For Eg:

    Https web server that are not supported by SSLV2 may be vulnerable because it shares its public key
    with SMTP server. Thus the attacker take an advantage an break TLS connection to webserver.

    It also works when an hacker has the ability to monitor traffic between an end user and server.

    You might also like