A new security vulnerability as been identified in Open SSL that could effect up to 11 million websites or around one third of all computer servers using the HTTPS protocol.
A fix has been identified and is being issued but it will take some time for website administrators to make sure their systems are protected.
This tool has been released to allow you to check if your domain is vulnerable to attack.
The hack may not even been in use yet as it was discovered by researchers who worked out that a very old vulnerability that dates back to 1998, can be used to disable encryption protections. This means once decrypted, passwords, credit card numbers and other sensitive information could be accessible.
What is the DROWN Attack?
DROWN is an acronym for Decrypting RSA with Obsolete and Weakened eNcryption.
It is a cross-protocol attack that uses the weaknesses the researchers identified in the SSL v2 implementation against the TLS and that can decrypt passively collected sessions.
A key measure to protect yourself is to ensure SSL v2 has been disabled and to ensure the private key is not shared across servers. You should also upgrade your OpenSSL to the latest versions.
This is obviously at a level most IT users and network managers are not familiar with or even have access to, so you will need to speak to your server hosting supplier to ensure that they are addressing these issues and that your website and other secure server data will not be vulnerable to a DROWN attack.
For those who need assistance, we can advise on any questions you may have.