Call us:    +44 (0) 207 0439 349        Company      Contact us

DROWN SSL Vulnerability Checker

Posted by on Mar 2, 2016 in Security BlogNo comments

 

Taken from DROWNattack.com:

DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication.

DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Our measurements indicate 33% of all HTTPS servers are vulnerable to the attack.

Any communication between users and the server. This typically includes, but is not limited to, usernames and passwords, credit card numbers, emails, instant messages, and sensitive documents. Under some common scenarios, an attacker can also impersonate a secure website and intercept or change the content the user sees.

Websites, mail servers, and other TLS-dependent services are at risk for the DROWN attack.

Modern servers and clients use the TLS encryption protocol. However, due to misconfigurations, many servers also still support SSLv2, a 1990s-era predecessor to TLS. This support did not matter in practice, since no up-to-date clients actually use SSLv2. Therefore, even though SSLv2 is known to be badly insecure, until now, merely supporting SSLv2 was not considered a security problem, because clients never used it.

DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.

 

CHECK YOUR SITE FOR DROWN TLS/SSL VULNERABILITY NOW BY RUNNING THE SSLYZE TOOL FOR FREE:

This tool also will check for the heartbleed SSL vulnerability that came out last year and notify you in the text if you are vulnerable.

http://tools.security-audit.com

Example of not vulnerable configuration for HEARTBLEED SSL:

  * OpenSSL Heartbleed:
      OK - Not vulnerable to Heartbleed 

Example of not vulnerable configuration for DROWN SSL:

* SSLV2 Cipher Suites:

      Server rejected all cipher suites.

Example of vulnerable TLS/SSL Configuration for DROWN:

* SSLV2 Cipher Suites:

      Server rejected all cipher suites.

  * Session Resumption:
      With Session IDs:                  PARTIALLY SUPPORTED (2 successful, 3 failed, 0 errors, 5 total attempts). Try --resum_rate.
      With TLS Session Tickets:          NOT SUPPORTED - TLS ticket assigned but not accepted.

 

 

 

Registered Memberships and Partners:

OWASP - Open Web Applications Security Project
ISSA UK - Information Systems Security Association UK
NIST - Computer Security Division of NIST
UKITA - UK Information Technology Association
ISF - Information Security Forum
ISACA - Information Security Audit & Control Association

  • Latest Tweets

    • Britain's security has been threatened by 188 high-level cyber attacks in the last three months, according to a government security chief.

    • Libraries across the city of St Louis are gradually regaining control of their computer systems, following a malware attack on 17 Libraries.

This website uses cookies to improve user experience. By using our website you consent to all cookies issued by this website.
I agree Disagree