DROWN attack: check your server configuration
March 02, 2016Remy Luciani1 min read
A new security vulnerability has been detected in HTTPS yesterday: DROWN. The attack can decrypt a HTTPS connection. Impact: hackers can steal your users data, such as their password, credit card number and personal information.
Basically, your server is vulnerable if it is able to handle HTTPS connections through SSLv2 or previous versions of the protocol. Likewise, if your server does not support SSLv2 but your certificate’s private key is also used on another server that supports it, the exploit remains possible.
And this is true even if it is used by another protocol (e.g. POP3 protocol for your mail server).
How can I check if my server is vulnerable?
Thanks to the checker provided by the DROWN website, you can check if your server is vulnerable to DROWN.
Nevertheless, it might return an empty result if your domain has never been crawled by the drownattack.com team. Fortunately, there is a python utility available on GitHub. You can scan your server thanks to it and detect if your server is vulnerable. Everything is explained in the documentation.
Oops, I’m vulnerable. How do I fix that?
You must disable SSLv2 on your servers, in every service: webserver, mail server… Use TLS only. It is simple with Apache or Nginx but it might not be as simple for other technologies. Once again, read the counter measure on the DROWN website!