The DROWN Attack

March 3, 2016 - Security

Last year saw a number of well-publicized SSL security vulnerabilities, many of them with their own sites and branding. (Heartbleed, FREAK, and Logjam are among the most well-known.) The latest is DROWN, which was publicized last week, and stands for Decrypting RSA with Obsolete and Weakened eNcryption.

What is it?

DROWN is a way for an attacker to quickly (remarkably quickly, within hours or even minutes) break the encryption used by some secure sites. It relies on a very old and unused protocol, SSLv2, which isn’t generally actually used, but is occasionally supported by misconfigured webservers.

Who is affected?

The drownattack.com site claims up to 33% of sites may be effected, globally. There is at least some discussion that the testing tool at the DROWN site results in false positives, which is acknowledged on the DROWN site as well. So the actual number of impacted sites is likely less than the percentages you may see in headlines.

Are FoxyCart users vulnerable?

No. Our application environment doesn’t support SSLv2, nor do we reuse any private keys for our SSL certificates across our environments, which further reduces the risk even if SSLv2 were enabled anywhere.

Back to the false positives we mentioned above: The testing tool at the DROWN site may report we are vulnerable to DROWN, but the IP address it reports for *.foxycart.com is used only for a legacy failover system, which was isolated from our production environment, and used separate SSL keys. Since the DROWN announcement, we’ve taken this system offline in order to perform the necessary upgrades. It has no bearing on the FoxyCart systems or service.

Is there anything I need to do?

Nope! Not as far as your FoxyCart account is concerned, at least. We do recommend you check your other systems that use SSL, however.

If you have any questions or concerns, please don’t hesitate to contact us.