How to Remediate: DROWN Attack – OpenSSL HTTPS Websites are at Risk – Are You?

DROWN lets an attacker perform MITM attacks on TLS connections in under 1 minute by sending probes to servers that support SSLv2. The vulnerability impacts roughly 33% of webservers worldwide. Even though this number is significant, it does not account for other services that allow SSLv2, including, email servers, embedded systems, web applications and software supporting SSL/TLS.

Some are calling this Heartbleed 2.0

Like Heartbleed, there are similarities in required remediation steps. Hopefully organizations will take heed and remediate faster (and more completely) than they did for Heartbleed. Last year, a full year after Heartbleed was discovered, most of the global 2000 organizations that Venafi surveyed had still not yet remediated Heartbleed. That’s why we recommend doing more to remediate (download our DROWN remediation plan).

Your keys and certificates are the foundation of trust

According to the Ponemon Institute, 100% of organizations have responded to an attack that misuses keys and certificates in the last two years. And an alarming 54% of them are unaware of where all of their keys and certificates are located. Not only are attacks that leverage keys and certificates increasing, their impact is as well. The organizations surveyed by the Ponemon Institute estimated the risk of an attack using keys and certificates at $53 million over the next two years—this considerable risk should be a wakeup call for all organizations.

DROWN points out the need to know what’s trusted and what’s not. That’s why we’re here to help. Download our DROWN Threat Brief and then let us know if we can be of assistance.