1. Web

How safe is your site from a ‘Drown hack’ attack?

By

google project zero publishes microsoft browser day bug hacker keyboard dark room
With digital security on the forefront of global consciousness, a new report suggesting that “thousands of popular sites” might be vulnerable to one type of cyberattack has raised alarm bells.

According to experts, the so-called Drown attack is a “serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security.” With this sort of attack, hackers would be able to “break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data.” Most terrifying of all, it is estimated that 33 percent of HTTPS servers are vulnerable.

Luckily, there is a fix available, and it’s already been disseminated to help site administrators add an extra layer of security to their online domains. Still, it will take time to fully implement, and in the meantime, the hackers may still have access to a significant chunk of the Internet.

“What is shocking about this is that they [the hackers] have found a way to use a very old fault that we have known about since 1998,” Professor Alan Woodward of the University of Surrey told the BBC. “And all this was perfectly avoidable. It is a result of us having used deliberately weakened encryption, which people broke years ago, and it is now coming back to haunt us.”

So what can you now do? The researchers studying the issue note that, “To protect against Drown, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS.” Drownattack.com also provides a form to “check whether your server appears to be exposed to the attack.”

Ultimately, a complete solution requires some expertise. “Operators of vulnerable servers need to take action,” the researchers wrote. “There is nothing practical that browsers or end-users can do on their own to protect against this attack.”

Editors' Recommendations

Android vs. iOS: Which smartphone platform is the best?

android vs ios v cameras feat

The best browsers for privacy

stock photo of laptop on desk

Protect your privacy with the best cheap VPN deals for January 2021

best vpn for small business man holding phone app creation internet protocols protection network

The best remote desktop software for 2021

libreoffice vs openoffice woman working at home using her laptop 4050290

Gmail experiencing disruption globally, Google confirms

gmail for ios finally gets handy customizable swipe actions

Twitter is about to close its Periscope livestreaming app

periscope super hearts lauunched application on a cell phone

How to create a playlist on YouTube

YouTube Photo

Zoom to lift its 40-minute meeting limit for holiday celebrations

young couple enjoying a video chat

Are you using any of these browser extensions? Uninstall them now

microsoft edge chromium to roll out automatically soon chrome

How to recall an email in Outlook

outlook email

What is a meme? Here’s everything you need to know

what is a meme whatisameme01

Why do you see ads for stuff you’ve already bought?

google revamped ad settings tool android

Get ready, kids, these Santa trackers are about to fire up!

get ready kids these santa trackers are about to fire up claus 2020