1. Web

How safe is your site from a ‘Drown hack’ attack?

By

google project zero publishes microsoft browser day bug hacker keyboard dark room
With digital security on the forefront of global consciousness, a new report suggesting that “thousands of popular sites” might be vulnerable to one type of cyberattack has raised alarm bells.

According to experts, the so-called Drown attack is a “serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security.” With this sort of attack, hackers would be able to “break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data.” Most terrifying of all, it is estimated that 33 percent of HTTPS servers are vulnerable.

Luckily, there is a fix available, and it’s already been disseminated to help site administrators add an extra layer of security to their online domains. Still, it will take time to fully implement, and in the meantime, the hackers may still have access to a significant chunk of the Internet.

“What is shocking about this is that they [the hackers] have found a way to use a very old fault that we have known about since 1998,” Professor Alan Woodward of the University of Surrey told the BBC. “And all this was perfectly avoidable. It is a result of us having used deliberately weakened encryption, which people broke years ago, and it is now coming back to haunt us.”

So what can you now do? The researchers studying the issue note that, “To protect against Drown, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS.” Drownattack.com also provides a form to “check whether your server appears to be exposed to the attack.”

Ultimately, a complete solution requires some expertise. “Operators of vulnerable servers need to take action,” the researchers wrote. “There is nothing practical that browsers or end-users can do on their own to protect against this attack.”

Editors' Recommendations

How to protect your home security camera from hackers

Google Nest Indoor Security Camera

How to tell if your security camera has been hacked

amazon shares a sneak peek at device deals heading into black friday ring indoor cam 1

How to prevent your Ring smart cameras from being hacked

Ring Indoor Cam

How to tell if your webcam has been hacked

razer siren x mic kiyo webcam and 4

With Tesla bleeding money, Elon Musk initiates hardcore spending review

Tesla Model Y front

Deathloop PC system requirements: Can your PC play Deathloop?

Colt kicks an enemy in Deathloop.

How much storage do you need on your new iPhone 13? Here’s how to decide

iPhone 13 Pro colors.

The best streaming devices for 2021

Chromecast with Google TV

The best gaming speakers for 2021

A Logitech speaker sitting beside a desktop computer.

The best robot vacuums for 2021

The iRobot Roomba s9 cleaning.

Succession season 3 trailer suggests an all-out family war

succession season 3 trailer

Best cheap gaming PC deals for September 2021

best graphics card for gaming origin neuron desktop review lifestyle behind shoulder

The unfortunate part about connected fitness equipment for the home

best home gym equipment cycle 3 970x647 c 1