Protect Your Server against the DROWN SSL Vulnerability

Protect Your Server against the DROWN SSL Vulnerability

Today, researchers from various universities and organizations around the world announced the DROWN SSL exploit.  DROWN, an acronym standing for Decrypting RSA with Obsolete and Weakened encryption, is an exploit that allows for remote decryption of SSL communications even if they’re protected by more advanced cipher suites.

Who is affected?

  • Anyone who uses SSL for any services including, but not limited to, HTTPS or IMAPS should assume they’re vulnerable to this exploit.
  • Any web server software such as Apache or Nginx could have SSLv2 enabled automatically, which means that server is vulnerable.
  • If Open-SSL is used, it’s highly likely your server is vulnerable.
  • Many other security and server services may be affected, so please be vigilant and assume you need to examine your system and be prepared to update your server.
  • Check your SSL version using this tool: https://www.ssllabs.com/ssltest/
  • If you choose to fix this issue yourself, check this link to learn how to correctly generate configurations: https://mozilla.github.io/server-side-tls/ssl-config-generator/

While it doesn’t see much use today, many servers still have SSLv2 as a default option for clients to use. If your server supports SSLv2, it is vulnerable to this exploit. Additionally, if the same private key is used on a server that supports SSLv2 and on a server that doesn’t, the server that does not is also vulnerable.

Important note: The servers do not need to be hosted at the same location for this to be successful. If a server is hosted in ‘datacenter’ and uses the same private key as a server in a corporate office, then both servers are potentially vulnerable.

As a generic countermeasure to exploits, efforts should be made to make sure all software and operating systems are regularly patched.

DROWN_diagram

What can the attackers gain?

Any communication encrypted by SSL between users and the server can be intercepted. This typically includes, but is not limited to, usernames and passwords, credit card numbers, emails, instant messages, and sensitive documents. Under some common scenarios, an attacker can also impersonate a secure website and intercept or change the content the user sees.

What do you need to do?

If you are a Proactive Managed Hosting customer, your servers have been updated and brought to a safe state.

If you’d like to become  NTSPL Managed Hosting customer, please chat with a hosting expert now for a consultation.

This vulnerability affects many aspects of your server environment, so you may have to take several steps to update your environment to a safe state.

Common vulnerable services:

Open-SSL Users: Make sure Open-SSL has been patched to the latest version. 1.0.1 Should be upgraded to 1.0.1s and those using Open-SSL 1.0.2 should make sure they’re running 1.0.2g.

Microsoft IIS: Ensure SSLv2 is disabled and update Microsoft IIS to the newest version supported by your server.

Network Security Services (NSS): Ensure SSLv2 is disabled and update to the newest version supported by your server.

Web Servers: For Apache and Nginx web servers, disable SSLv2.

How does DROWN affect the system?

DROWN works by intercepting SSL traffic encrypted with the commonly-used TLS (Transport Layer Session) cipher suite going to the target server and capturing the ciphertext.  Once that’s done, the attacker repeatedly connects to a server that is using the same private key. Using specially crafted packets, an attacker is able to get the target server to eventually leak enough information that the TLS traffic can be decrypted

Severity: Urgent

This exploit was discovered and released by researchers, which creates a small window to allow for patches and fixes before the exploit becomes fatal.

NTSPL- Official Offshore Development Centre in India for Odishy LLP, USA

NTSPL – An offshore development center (ODC) in India of Odishy LLP, USA achieves business goals by offering dedicated and cutting edge web and mobile app development services. We combine in-depth project management expertise with the highest quality development standards to ensure every project, software and application is a success. At NTSPL we make sure that clients have positive experience during the whole process of outsourced development.

Odishy LLP with NTSPL – Your Trusted ODC Partners

The single most critical factor to ensure a smooth transition & migration of activities to an alternate location through outsourcing is to benefit from the services of a trusted offshore development center partner. We at Odishy LLP also ensure that you have a comfortable experience during the whole process of establishing an offshore development with NTSPL, India. With a huge number of successful projects behind us and the fact that clients come back to us time and again proves the mettle of our offshore developer team at NTSPL.

In the course of setting up an offshore service relation with NTSPL, Odishy LLP provides you the services of an exclusive developer team, wholly committed to your project and acting as a practical extension of your home team. The most up-to-date technologies and processes support your project, integrating seamlessly with your company’s unique needs. Our services are leveraged according to your budgets and time frames.

off-shore development centre India

Advantage of ODC with NTSPL

Ø  Qualified and experienced professionals on board with expertise in varied technologies

Ø  Flexibility of the work structure

Ø  Support Video Conferences

Ø  Individual VOIP connections and collaboration tools for direct communication

Ø  24 * 7 Admin Support

Ø  Management and HR expertise to make Offshore Development Company successful

Ø  Years of robust growth & consistently enhanced operations

What ODC NTSPL provides:

ü  Web Design and Development

ü  Responsive web Design

ü  Mobile Application Development

ü  Ecommerce portal

ü  Open-Source Technology

ü  Multimedia Solutions

ü  Digital Marketing Solutions

ü  Web Hosting Services

ü  ERP Solutions