Skip to main content
  1. Home
  2. Web
  3. Computing
  4. News

How safe is your site from a ‘Drown hack’ attack?

Lulu Chang
By

A pair of hands on a laptop keyboard with two displays.
With digital security on the forefront of global consciousness, a new report suggesting that “thousands of popular sites” might be vulnerable to one type of cyberattack has raised alarm bells.

According to experts, the so-called Drown attack is a “serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security.” With this sort of attack, hackers would be able to “break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data.” Most terrifying of all, it is estimated that 33 percent of HTTPS servers are vulnerable.

Luckily, there is a fix available, and it’s already been disseminated to help site administrators add an extra layer of security to their online domains. Still, it will take time to fully implement, and in the meantime, the hackers may still have access to a significant chunk of the Internet.

“What is shocking about this is that they [the hackers] have found a way to use a very old fault that we have known about since 1998,” Professor Alan Woodward of the University of Surrey told the BBC. “And all this was perfectly avoidable. It is a result of us having used deliberately weakened encryption, which people broke years ago, and it is now coming back to haunt us.”

So what can you now do? The researchers studying the issue note that, “To protect against Drown, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS.” Drownattack.com also provides a form to “check whether your server appears to be exposed to the attack.”

Ultimately, a complete solution requires some expertise. “Operators of vulnerable servers need to take action,” the researchers wrote. “There is nothing practical that browsers or end-users can do on their own to protect against this attack.”

Editors' Recommendations

Android 13 is here, and you can download it on your Pixel phone right now

Official artwork of Android 13

Top 10 Windows shortcuts everyone should know

An individual using a laptop's keyboard.

Twitter’s latest features are all about curbing election misinformation

Twitter's new election-specific features shown on a smartphone.

Microsoft’s emoji library goes open source

The design process of emoji.

With Tesla bleeding money, Elon Musk initiates hardcore spending review

Elon Musk talks to the press as he arrives to to have a look at the construction site of the new Tesla Gigafactory near Berlin.

A Lord of the Rings game is in the works from the studio that created the films’ VFX

Screenshot with orcs attacking in Middle-Earth: Shadows of Mordor.

Get a first look at the remake of the infamous XIII remake

The logo for XIII remake

Zoom just fixed a major security flaw on Mac. Here’s why you should update now

The Logitech Brio 4K Pro attached to a Macbook.

You can (sort of) generate art like Dall-E with TikTok’s latest filter

A person's hand holding a phone with the TikTok app on it.

All the free characters in MultiVersus right now

A large group of DC and Warner Bros characters stand together in MultiVersus.

Best MacBook deals and sales for August 2022

Macbook Air (2018) Review

Heading back to school? Get this lightweight Dell laptop for $249

dell inspiron 15 3000 deal june 2022 7000 01

Technics turntable fans now have a more affordable option: $1,000 SL-100C

Technics SL-100C turntable.