More than 11 million websites and e-mail services protected by the transport layer security protocol are vulnerable to a newly discovered, low-cost attack that decrypts sensitive communications in a matter of hours and in some cases almost immediately, an international team of researchers warned Tuesday March 1 2016. More than 81,000 of the top 1 million most popular Web properties are among the vulnerable HTTPS-protected sites.

This new vulnerability termed as DROWN (Decrypting RSA with Obsolete and Weakened encryption),CVE-2016-0800, a novel cross-protocol attack uses SSLv2 handshakes to decrypt TLS sessions. A patch is already available for countering the vulnerability and the users are advised to upgrade to the following respective versions-

  • OpenSSL 1.0.2 users are strongly advised to upgrade to OpenSSL 1.0.2g
  • OpenSSL 1.0.1 users are recommended to upgrade to OpenSSL 1.0.1s
  • If you are using another version of OpenSSL, you should move up to the newer versions 1.0.2g or 1.0.1s.


The vulnerability allows an attacker to decrypt an intercepted TLS connection by repeatedly using SSLv2 to make connections to a server. In the process, the attacker learns a few bits of information about the encryption key each time. In technical terms, DROWN is a new form of cross-protocol Bleichenbacher padding oracle attack. This attack has been leveraged into a new form of attack (DROWN) that allows an attacker to decrypt intercepted TLS connections by making specially crafted connections to an SSLv2 server that uses the same private key. The most important thing to note is that the attack is only successful if the private keys are same. According to best security practices, however, it is not advisable to reuse private keys. Often times, due to cost, organizations will use a single private key for multiple servers.

This type of attack makes use of bugs in one protocol implementation (SSLv2) to attack the security of connections made under a different protocol entirely — in this case, TLS. More concretely, DROWN is based on the critical observation that while SSLv2 and TLS both support RSA encryption, TLS properly defends against certain well-known attacks on this encryption — while SSLv2’s export suites emphatically do not and DROWN attack relies on a bug in the way OpenSSL handles SSLv2 key processing.


For many FIPS modules, this vulnerability will not directly affect their certifications for a number of reasons. For example, many software FIPS modules do not include protocol implementation within the FIPS boundary (typical FOM implementation) and SSLV2 itself is not a FIPS approved service. Common Criteria, on the other hand, includes a vulnerability assessment. Many certifying schemes include requirement that they will not post any certification for a product with a known vulnerability.