What is DROWN?
DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL – specifically, SSLv2 and low-strength ciphers. DROWN allows attackers to break the encryption and read or steal sensitive communications. Under some common scenarios, an attacker can also impersonate a secure website and intercept or change the content the user sees.
Am I at risk?
If your server supports SSLv2, then your server is vulnerable. SSLv2 was depreciated in 2011, and so many modern services do not use it. However, if you’re running an older server, or a server that supports these older protocols, then you are at risk. Furthermore, if your site uses the same SSL private key as any other server that supports SSLv2, then an attacker could potentially use that same private key against a server that is not using SSLv2. Therefore, it is imperative that all services that are using a particular SSL private key be updated to not support SSL communication using SSLv2.
The following site provides a thorough description of the technical details of the DROWN attack and how it works: https://drownattack.com/.
How do I protect my server from DROWN?
In order to protect your server against DROWN, you will need to ensure that your SSL private keys are not used on any server that supports SSLv2 connections. This includes web servers, mail servers, FTP servers, control panels or any other service that could possibly allow SSLv2 connections.
In order to protect our clients, Vivio is currently offering free server hardening (disabling of SSLv2 and SSLv3 across all services on your hosting account) for both Managed and Fundamental Support clients. Simply contact support if you would like for us to make this update for you. If you would like to address the issue yourself, Vivio has prepared the following Knowledge Base article which shows you how to update most SSLv2 services on your server:
You can also reach out to Vivio using our Contact Form: