Skip to main content
banner image
venafi logo

How to Remediate: DROWN Attack – OpenSSL HTTPS Websites are at Risk – Are You?

How to Remediate: DROWN Attack – OpenSSL HTTPS Websites are at Risk – Are You?

How to Remediate: DROWN Attack – OpenSSL HTTPS Websites are at Risk – Are You?
March 3, 2016 | Gavin Hill
Key Takeaways
  • DROWN attack breaks HTTPS on 33% of websites (source:
  • Top sites (according to Alexa Top 10,000) are vulnerable (see the list)
  • Our DROWN Threat Brief has a plan for remediation that goes beyond patching.
  • Don’t make the Heartbleed mistake of patching and forgetting; there’s more to be done.

A new OpenSSL vulnerability, DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) was announced earlier this week and it’s affecting servers using SSLv2. This is truly a huge business risk due to how easy the attack is to pull off - for less than $500 dollars. In fact, if you want to see if a site you use is vulnerable – your bank, your health insurance, your favorite online store – you can check it out easily here.

DROWN lets an attacker perform MITM attacks on TLS connections in under 1 minute by sending probes to servers that support SSLv2. The vulnerability impacts roughly 33% of webservers worldwide. Even though this number is significant, it does not account for other services that allow SSLv2, including, email servers, embedded systems, web applications and software supporting SSL/TLS.

Some are calling this Heartbleed 2.0

Like Heartbleed, there are similarities in required remediation steps. Hopefully organizations will take heed and remediate faster (and more completely) than they did for Heartbleed. Last year, a full year after Heartbleed was discovered, most of the global 2000 organizations that Venafi surveyed had still not yet remediated Heartbleed. That’s why we recommend doing more to remediate (download our DROWN remediation plan).

DROWN hits while Heartbleed still not fully remediated

Your keys and certificates are the foundation of trust

According to the Ponemon Institute, 100% of organizations have responded to an attack that misuses keys and certificates in the last two years. And an alarming 54% of them are unaware of where all of their keys and certificates are located. Not only are attacks that leverage keys and certificates increasing, their impact is as well. The organizations surveyed by the Ponemon Institute estimated the risk of an attack using keys and certificates at $53 million over the next two years—this considerable risk should be a wakeup call for all organizations.

DROWN points out the need to know what’s trusted and what’s not. That’s why we’re here to help. Download our DROWN Threat Brief and then let us know if we can be of assistance.

Like this blog? We think you will love this.
Featured Blog

Researchers Find 3,200 Apps Exposing Twitter API Keys, Cite ‘BOT Army’ Threat

Key Findings:

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more