Edited: There's now a useful website to test if a website https connection is vulnerable to the DROWN attack. Just follow this link and insert your URL including https:// to check for DROWN vulnerability.
Last week a big news hit the SSL(Secure Socket Layer) website security world. New vulnerability found for website using https connection when SSL is not disabled on the security configuration. Basically more than 11 million https websites are vulnerable to this newly discovered low cost attacks that take advantage of the vulnerability on SSL connections.
So how is website security relevant to everyday users? When a website is not encrypted, possible outsider connection between the web server and the users can be stolen and read by hackers. This information may include: credit card numbers, username and password for signing in, email addresses, physical addresses, phone numbers, and more. Hackers can also use the information to access emails, Paypal account or any bank accounts! That is where SSL steps in to encrypt all the data transferred between web servers and users. Since 1995, SSL has progressively evolved to improve security on the web, and in 1999 SSL is replaced by the more secure TLS (Transport Layer Security). However many web server still allow depreciated SSL connection to enable maximum compatibility.
SSL for website owners
Last week, the DROWN attack is revealed to exploit the default enabling of SSL on website to decrypt data transferred between web servers and users. Any web server that doesn't turn off support for SSL is vulnerable to this attack. As the owner of any SSL enabled website, steps need to be taken to ensure security is up to date to prevent any DROWN attack. At Beewebby, all our SSL connection is managed by Nginx web server with only TLS enabled. Here is the independent security test of one of our latest website:
All Beewebby's managed websites have the highest possible score on security testing by Qualys SSL Labs, ie not vulnerable to any known attacks.
Security for Web Surfers
Okay so you don't manage or own a website. Does this security vulnerability affect you? Absolutely! When browsing on non-secure website, do not input any sensitive information onto the website, or you may risk your private data being stolen and used for malicious purposes. How can you tell if the website is properly secured? Luckily for us all modern browsers have security indication for normal everyday users.
Notice the green padlock that appears before the URL on the address bar, green padlock means your browser's connection to the web server is encrypted. All is good? Not so fast, if you click the green padlock, on the connection tab:
There will be details of the encrypted connection. If the line that says "Your connection to www.example.com is encrypted using a modern cipher suite." is changed to "obsolete cipher suite", this connection is vulnerable to the latest DROWN attack. Even on "modern cipher suite" websites, there are ways to downgrade the connection to depreciated connection for the attack. So the only sure way to determine this is to get a independent SSL audit from Qualys SSL Labs, any rating below "A" is vulnerable to this attack. But fear not, because most SSL certificate comes with an insurance that covers this when an attack happens. Knowing this information simply makes you a more diligent internet user.