We are DROWNing

Splish Splash Splosh. This is the news of yet another vulnerability, labelled DROWN, in the OpenSSL library (you will no doubt remember Heartbleed and Shellshock from years past).

This was revealed after the OpenSSL people pre-announced a patch, which would address a number of high severity bugs on March the first. Over to drownattack.com to quickly dish the dirt.

The attack enables the cryptography of web servers running SSL and TLS (i.e. all of them) to be broken, enabling an attacker to read or steal sensitive information, such as credit card details or any other secrets in transit.

Drown stands for Decrypting RSA using Obsolete and Weakened eNcryption. As well as a proper name, it also has its own sploshy logo – so it is definitely a thing!

The drownattack people took it upon themselves to do a scan of the Internet. You might be, like we were, surprised that no fewer than 33% of all Web servers running HTTPS on the Internet today are at risk. Here are the stats of vulnerable servers as of 01/03/16:

HTTPS – Top one million domains                     25%

HTTPS – All browser trusted sites                      22%

HTTPS – All sites                                                   33%

There is no action that any browser user can take to defend against this attack therefore it is imperative, if you value yours or you customer’s data, that you install the OpenSSL patch as soon as possible and also do some work to ensure that your private keys are not accessible using any part of the server software that allows SSLv2 connections.

drownattack.com thoroughly dissects this particular bad boy and provides excellent advice for all server types – we recommend that you take a read.


Not such a good week for RSA really, not only are they referred to in the label of a monster bug (the R in DROWN, for those with short memories) but they also committed a fairly large booboo at their own RSA conference in San Francisco.

It turned out that the android devices that RSA handed out to booth babes for the purposes of scanning willing punter’s badges in order that they can be sent even more spam, were totally insecure with a hard coded password within the code itself. Really silly for a security company at a security conference! Still we are confident that the mysterious mithril armour that appears to shield RSA from any of the brown stuff sticking will do the job once more and this will soon be forgotten.

If you would like swimming lessons, a quick rub down with a fluffy towel, or wish to discuss DROWN or in fact any other security issue you may have, please contact us at: 020 7517 3900 or email us at [email protected].