1 min readMar 1, 2016
SSLv2 DROWN Attack
In technical terms, DROWN is a new form of cross-protocol Bleichenbacher padding oracle attack. It allows an attacker to decrypt intercepted TLS connections by making specially crafted connections to an SSLv2 server that uses the same private key.
TL:DR;
- DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption.
- If your servers are still supporting SSLv2
- If you have a farm of servers supporting old and insecure SSLv2 mixed with servers supporting TLS1.x only
- If you are sharing certificates and/or private keys between servers.
Stop now and read the full disclosure. Hire a TLS Engineer (That’s me!) to help you if you do not have this talent in-house.