The old and weak version two of the TLS/SSL protocol, which is still enabled on millions of servers around the world, has been found to be breakable using a vulnerability dubbed DROWN.
DROWN stands for 'decrypting RSA with obsolete and weakened encryption'. It allows attackers to decrypt intercepted TLS communications if the 20-year-old SSLv2 protocol is supported on servers, a group of researchers has found.
Furthermore, if servers' private keys are used on other servers that also allow SSLv2, they are also vulnerable to DROWN. This, the researchers said, is common as many companies reuse certificates and keys on, for example, web and email servers.
Many Australian and New Zealand bank servers tested by the researchers in February this year showed up as being vulnerable to DROWN, making them vulnerable to eavesdropping.
Around the world, several well-known internet properties including Buzzfeed, Yahoo, Alibaba, Weather.com, Flickr, Speedtest, Groupon, and more are currently vulnerable to DROWN.
A list of DROWN-vulnerable Alexa top-10,000 sites was published by the researchers, who estimated that in total, a third of all HTTPS servers are affected by the flaw.
Although the researchers are not aware of any current DROWN exploits, they suggest administrators take countermeasures now, as details of the vulnerability are published.
According to the researchers, decrypting one out of 900 TLS connections requires around 40,000 probes, and 2^50 computation, the cost of which would be US$440 (A$613) on Amazon Web Services EC2 cloud for eight hours.
A technical paper discussing the issue, DROWN: Breaking TLS using SSLv2 [pdf], has also been published.
The researchers said US government policies that restricted export of strong cryptography in the late 1990s to make it easier for the National Security Agency to eavesdrop on communications contributed to DROWN.
Three cryptographic primitives were deliberately weakened by the US government, including RSA encryption, the Diffie-Hellman key exchange protocol and the export-grade symmetric ciphers that DROWN exploits, the researchers said.
This, the researchers said, demonstrates how deliberately weakened cryptography can come back and hurt internet security years later.
To mitigate against DROWN, the open source OpenSSL cryptographic library will disable SSL version 2 by default from now on in the new versions 1.0.1s and 1.0.2g, and also remove the SSLv2 EXPORT ciphers.
OpenSSL strongly recommends against using SSLv2 not just because of DROWN but other known deficiencies in the protocol.
Another high severity vulnerability that affects OpenSSL versions prior to March last year allows for a "divide and conquer" key recovery attack was reported to the maintainers of the library in February.
The defect has already been fixed in OpenSSL versions released on March 19 last year.
In vulnerable versions, the flaw can be used to determine the SSLv2 master key with just 16 connections to a server, and with very little computational effort.
This, in turn, makes the DROWN vulnerability more efficient, and effective against non-export cipher suites.
Breaking the encryption by taking advantage of the older, vulnerable versions of OpenSSL would only require about a minute's worth of computational effort on a fast personal computer.
Microsoft's Internet Information Services (IIS) server versions 7.0 and above have SSLv2 disabled by default, but the researchers advised admins to check if the private keys are used elsewhere as a precaution.
The Network Security Services (NSS) cryptographic library starting with versions 3.13 from 2012 and higher also have SSLv2 disabled by default, but users who have enabled the older protocol manually should turn it off.
