• Skip to primary navigation
  • Skip to main content
Security Audit Systems

Security Audit Systems

  • Home
  • Penetration Testing
    • Website Penetration Testing
    • Network Penetration Testing Experts
    • External Network Penetration Testing
    • OWASP Website Penetration Testing Services
    • PCI Penetration Testing
  • Website Security Audit
    • WordPress Security Auditing
    • Drupal Security Auditing
    • Joomla Security Auditing
  • Security Consulting
    • Managed Security Service
    • SIEM Log & Security Manager
    • Cyber Situational Awareness
    • Firewall Security Testing
    • Mobile Application Security Testing
    • DDOS Protection
  • Contact

Drown SSL Vulnerability Checker

SAS · March 2, 2016

Taken from DROWNattack.com:

DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication.

DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Our measurements indicate 33% of all HTTPS servers are vulnerable to the attack.

Any communication between users and the server. This typically includes, but is not limited to, usernames and passwords, credit card numbers, emails, instant messages, and sensitive documents. Under some common scenarios, an attacker can also impersonate a secure website and intercept or change the content the user sees.

Websites, mail servers, and other TLS-dependent services are at risk for the DROWN attack.

Modern servers and clients use the TLS encryption protocol. However, due to misconfigurations, many servers also still support SSLv2, a 1990s-era predecessor to TLS. This support did not matter in practice, since no up-to-date clients actually use SSLv2. Therefore, even though SSLv2 is known to be badly insecure, until now, merely supporting SSLv2 was not considered a security problem, because clients never used it.

DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.

CHECK YOUR SITE FOR DROWN TLS/SSL VULNERABILITY NOW BY RUNNING THE SSLYZE TOOL FOR FREE:

This tool also will check for the heartbleed SSL vulnerability that came out last year and notify you in the text if you are vulnerable.

http://tools.security-audit.com

Example of not vulnerable configuration for HEARTBLEED SSL:

  * OpenSSL Heartbleed:
      OK - Not vulnerable to Heartbleed 

Example of not vulnerable configuration for DROWN SSL:

* SSLV2 Cipher Suites:

      Server rejected all cipher suites.

Example of vulnerable TLS/SSL Configuration for DROWN:

* SSLV2 Cipher Suites:

      Server rejected all cipher suites.

  * Session Resumption:
      With Session IDs:                  PARTIALLY SUPPORTED (2 successful, 3 failed, 0 errors, 5 total attempts). Try --resum_rate.
      With TLS Session Tickets:          NOT SUPPORTED - TLS ticket assigned but not accepted.

Latest blog posts

Lorem ipsum dolor sit amet consectetur. Tincidunt leo nulla in proin magna senectus amet sollicitudin.

How to Strengthen Your Joomla Site’s Security

How to Strengthen Your Joomla Site’s Security

SASNov 21, 20204 min read
WordPress Security and Plug-ins Detailed Review

WordPress Security and Plug-ins Detailed Review

SASNov 20, 20205 min read
How to Improve WordPress Security

How to Improve WordPress Security

SASNov 18, 20201 min read

Security Audit Systems

Privacy Policy   Terms and Conditions   Company   Contact
Copyright © 2024 · Security Audit Systems

Designed and Developed by Drool