New TLS decryption attack affects one in three servers due to legacy SSLv2 support

Researchers devise new technique to decrypt TLS connections between users and HTTPS servers that still support SSLv2

Security researchers have discovered a new weakness that could allow attackers to spy on encrypted communications between users and one in three HTTPS servers.

The problem exits because many HTTPS servers still support the old and insecure SSL (Secure Sockets Layer) version 2 protocol. SSLv2 was superseded by SSLv3 in 1996, but only officially deprecated in 2011. SSLv3 was replaced, too, by the more modern TLS (Transport Layer Security) versions 1.0, 1.1 and 1.2.

SSLv2 should never be used for encrypted communications. However, security professional didn't see support for it in server configurations as posing a security threat until now, because modern browsers and other TLS-capable clients wouldn't use it.

But a team of security researchers has shown that premise to be incorrect.

In a newly released research paper, they showed that if an HTTPS server supports SSLv2, an attacker can exploit it to decrypt intercepted connections from its clients even if those connections are using the latest and most secure version of the TLS protocol.

Their attack, dubbed DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), has several prerequisites, but is quite practical. First of all, the targeted HTTPS server needs to either support SSLv2 itself or to share its private key with another server that does so -- for example, an email server.

It's quite common for organizations to use the same private key or certificate for TLS implementations on both Web and email servers.

drown attack SSLv2

Diagram showing when servers are vulnerable to the DROWN attack.

The attacker also needs to be in a position to observe several hundred TLS connections between a victim and a vulnerable server. They can do this by monitoring connections over a long period of time or by using malicious JavaScript to force the user's browser to repeatedly establish connections in the background with the targeted website.

Furthermore, the observed connections need to use the RSA key exchange algorithm during the handshake, but this shouldn't be a problem for attackers because RSA is still the most popular key exchange method in TLS implementations.

Once the attacker has the captured connections, he needs to connect to the server over the SSLv2 protocol and send specially crafted handshake messages that contain modifications of the RSA ciphertext copied from the client's TLS connections. These probes will fail, but the way the server responds to them will leak information about the secret keys used for the victim's TLS connections.

In the worst case scenario, an attacker would need to perform roughly 40,000 probe connections and 2^50 computations in order to decrypt one out of 900 observed TLS connections. Running the computations for the attack on Amazon's EC2 cloud computing platform would cost about US$440, the researchers estimated.

Establishing 40,000 HTTPS connections with a server might sound like a large number, but it's not. In tests with an Apache 2.4 server, the researchers completed 10,000 HTTPS requests in under 10 seconds.

The attack is significantly easier to pull off against servers that use a version of the OpenSSL library that's vulnerable to two known flaws.

One of the vulnerabilities is tracked as CVE-2015-3197 and allows a DROWN attacker to connect to the server using disabled SSLv2 cipher suites, if support for SSLv2 itself is enabled. This vulnerability was patched in OpenSSL versions 1.0.1r and 1.0.2f, released on Jan. 28.

The second vulnerability CVE-2016-0703 greatly reduces the time and cost of carrying out the DROWN attack and stems from a bug that was patched in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf back in March 2015, before that flaw's implications were understood and reported to the OpenSSL project.

For servers that are vulnerable to CVE-2016-0703, meaning they last updated their OpenSSL library before March 2015, the DROWN attack can be carried out in less than a minute using a single PC.

The researchers scanned the Internet for vulnerable servers that accept SSLv2 connections over ports associated with SSL/TLS communications: port 443 (HTTPS), port 25 (SMTP with STARTTLS), 110 (POP3 with STARTTLS), 143 (IMAP with STARTTLS), 465 (SMTPS), 587 (SMTP with STARTTLS), 993 (IMAPS) and 995 (POP3S).

They found that 17 percent of all HTTPS servers were directly vulnerable to the generic DROWN attack version. Furthermore, 25 percent of SMTP with STARTTLS servers, 20 percent of POP3S and IMAPS servers and 8 percent of SMTPS servers were vulnerable.

They also found many HTTPS servers that don't support SSLv2 directly, but share the same private key with other Web or email servers that do support it. This makes those non-SSLv2 servers vulnerable too, raising the overall percentage of affected HTTPS servers to 33 percent.

Fortunately, vulnerable servers don't need to replace their certificates, because DROWN doesn't expose their long-term private keys. Instead, the attack only exposes the secret keys negotiated by clients and servers for specific sessions.

It's still a big problem because decrypting even a single session could expose a user's log-in credentials, session cookies and other personal and financial information. However, the attacker would need to execute the DROWN attack for each user.

Server administrators need to ensure they have disabled support for SSLv2 on their servers. The researchers have provided instructions on how to do that for some of the most common TLS libraries and Web servers.

Administrators should also ensure that even if a server doesn't support SSLv2, its private key is not reused on other servers that might. The researchers released a test tool that determines if a server is vulnerable and is affected by key reuse.

An estimated 25 percent of all HTTPS-enabled websites in Alexa's top million traffic list are vulnerable. This includes popular sites like,,,,,,, and

Join the CSO newsletter!

Error: Please check your email address.

More about ApacheRSATransport

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts