DROWN Attack

Earlier this week, we learned of yet another attack against SSL/TLS where an attacker can force people to use insecure algorithms. It's called DROWN. Here's a good news article on the attack, the technical paper describing the attack, and a very good technical blog post by Matthew Green.

As an aside, I am getting pretty annoyed at all the marketing surrounding vulnerabilities these days. Vulnerabilities do not need a catchy name, a dedicated website -- even thought it's a very good website -- and a logo.

Posted on March 3, 2016 at 2:09 PM • 24 Comments


AnuraMarch 3, 2016 2:51 PM

Well, how else will you get attention without a fancy website? The seriousness of this isn't very high. Anyone who has ever paid attention in the last decade has already disabled SSLv2, and those that didn't are vulnerable to quite a few vulnerabilities already.

Ross SniderMarch 3, 2016 2:58 PM

Interesting observation made at the end of the paper:

9.5 Harms from deliberately weakening cryptography

Export-grade cipher suites for TLS deliberately weakened three primitives to the point that they are broken even to enthusiastic amateurs today: 512-bit RSA key exchange, 512-bit Diffie-Hellman key exchange, and 40-bit symmetric encryption. All three deliberately-weakened primitives have been cornerstones of high-profile attacks: FREAK attack against export RSA, Logjam against Diffie-Hellman, and our DROWN attack against export-grade symmetric cryptography.

Our results illustrate, like FREAK and Logjam, the continued harm that a legacy of deliberately weakened export-grade cryptography inflicts on the security of modern systems, even decades after the regulations influencing the original design were lifted. The attacks described in this paper are fully feasible against export cipher suites
today; against even DES they would be at the limits of the computational power available to an attacker. The technical debt induced by cryptographic “front doors” has left implementations vulnerable for decades. Together with the slow rate at which obsolete protocols and primitives entirely disappear, we can expect some fraction of hosts to continue to be vulnerable for years to come.

JacobMarch 3, 2016 3:14 PM

I think that major vulnerabilities do need an easy-to-remember name as a reference in future discussions.
If one refers to them only by their CVE number, others would need to look up and see what was that vulnerability all about.

Just as major hurricanes get a name - and it's enough to mention Katrina to feel again the pain it unleashed on the New Orleans' popluation.

Calling far away stars, galaxies and astroids by a random mix of alphanumtic string is OK as long as there is no chance of being affected by them. I trust that once an astroid will get too close to earth it would also get a catchy name.

Jonathan WilsonMarch 3, 2016 3:34 PM

The problem is not "export grade encryption", the real problem is libraries, software, servers and other things that continue to support cryptography that is known to be totally broken and insecure.

Even the mighty Google (a company that should know what its doing when it comes to security) continues to support the totally insecure SSL3 protocol on its https websites.

"yoshi2"March 3, 2016 3:48 PM

Thanks for the articles. This is important info. What is the best way to spread word to sys admins about these things?

It's regular articles and security site updates like this that give me the impression that most internetworking anywhere anytime really isn't secure because there's a constant stream of vulnerabilities and/or malware discovered (or hidden) month after month year after year.

It reminds me of another belief that I have:

Computers have the reputation of being good at storing info; however, what they are really good at is CHANGING information. They are actually quite poor at storing information because of all the caveats.

Concidentally, the last time I was talking about that belief to a friend of mine over the phone, my house got struck by lightning and the phone lines got fried. True story.
Life is stranger than fiction. But back on point, as depressing as this news is, it makes it seem miraculous that anything anywhere actually works with all these design flaws and bugs and vulnerabilities and hacks and "Eve's" out there.

WillMarch 3, 2016 4:43 PM

Just think about RSA's revelation they took money from NSA to build the BSAFE toolkit libraries around a deliberately weakened random number generator. Then think again about how much decade-old code is relying on that toolkit.

albertMarch 3, 2016 4:53 PM

Just got an email this AM from our web hosting service, saying that they'll be down for a "scheduled security software update".

Timing? Just a coincidence, I'm sure....
. .. . .. --- ....

Marcos El MaloMarch 3, 2016 6:15 PM

"Snazzy" website and nifty icon isn't that big a deal (and may make it easier for laymen and journalists to get the cliff's notes version), but what is up with the attacker? He's wearing a monocle and a homburg. Do not pass Go.

Casey_tayMarch 3, 2016 6:59 PM

Hello Bruce, IMHO, your first statement on DROWN may not be accurate- the vulnerability does not force or renegotiate victim to an insecure algorithm. It uses a server's support for insecure SSLv2 to derive the RSA key and use it to decipher encrypted traffic over the secure TLS channel. Thanks.

IanMMarch 3, 2016 7:45 PM

Why are people still saying disable SSL v2/3? Why are they not being removed entirely so the can be no bug that reenables them. Oh wait LibreSSL did just that. Seriously, dead code requires removal. SSLv2 should have been removed a decade or so ago. SSLv3 when POODLE happened...... I seriously hope moving forward when TLS vX.y is made redundant we don't keep them hanging around just so we can have the next cryptogedden.......

MagnusMarch 3, 2016 7:47 PM

"As an aside, I am getting pretty annoyed at all the marketing surrounding vulnerabilities these days."

Oh let the kids have their fun ;-)

PetterMarch 4, 2016 12:54 AM

So when will the warning of a catching vulnerability be used for a scam or as an attack vector to get less knowledgeable people to install or reduce their security?

"The Blood Splatter Bug"
Risk to the whole internet!
Tech bulletin CVE 17X38, this and that.
Click here to install and fix!

LazyjackMarch 4, 2016 2:51 AM

Well, Bruce, once you join IBM, you'll have to get used to everything having acronyms, most of which don't even sound cool.
OTOTH I 100% agree with you. I'm wondering when vulnerabilities will have their own twitter channel and facebook page with likes.

SysAdmin-42March 4, 2016 11:29 AM

From the PCI side SSLv3 retirement has been pushed back. I can only assume by business interests claiming customers on older PCs would be left out, reducing sales. From the sysadmin side, I wouldn't mind dropping all SSLvX. I've actually heard the older PC argument before.

MikeAMarch 4, 2016 11:54 AM

The argument "Screw old PCs, their owners should just buy a new one" is somewhat affected by the very high probability that the new one will be stuffed to the gills with exploit enablers, either by malicious intent or the makers having very different priorities for their developers (I'm looking at _you_ OSX).

No, I don't have "the answer" but blindly updating to the latest shiny is surely not it.

AnuraMarch 4, 2016 11:56 AM


Apparently people still care about IE6 backwards compatibility. That's really the only old browser still seeing some use that doesn't support TLS 1.0 out of the box. At this point, most websites won't work right with IE6 in the first place, and the market share (outside of China) is so small that it's probably not worth worrying about.

AnuraMarch 4, 2016 12:05 PM


If you don't have a browser with TLS 1.0+ enabled by default, it means your browser is so out of date that any upgrade is going to be more secure.

zMarch 4, 2016 12:22 PM

Amazing that we are STILL paying for the utterly awful idea of export grade crypto from decades ago and yet we are STILL trying to stop the government from weakening crypto in 2016.

There Are No Alternatives AvailableMarch 4, 2016 1:56 PM

@Magnum P.I.

That was similar to my reaction. Then I thought of the potential response "What use is it to be annoyed by a bunch of kids/racists/kkk with their own website". Which is so apropo to where I live it's not at all funny. I.e. I guess what Schneier might be annoyed enough about to publicly express as much, is how that particular form of unobtrusive free speech (some person's website nobody put a gun at your browser telling it to visit) can possibly, if at such a measurrable amount on some spectrum, could perhaps systemically damage society so badly it is worth oppressing. I suppose the specific time limits on various German anti-free-speech laws are supposed to make them justifiable logically. I'm worried the nuance of such good intent may be lost on the world Donald Trump has created.

AnonMarch 5, 2016 7:16 PM

I've said it before, and I'll say it again: we must break compatibility and re-write core code/functionality from scratch, in order to make better systems for the future. Until a serious effort is made to do that, we will keep running into problems.

PCIDSS is a total joke, only no-one has the cajones to stand up and say it.

As for DROWN having a name and website, I actually thought it was a good idea. Makes it easy to reference.

RonKMarch 6, 2016 1:03 AM

> Vulnerabilities do not need a catchy name, ...

I have to admit, I side against you on this one. Personally, I think most things which raise the visibility of vulnerabilities is good for several reasons.

    The public has a better chance of finding out about this vulnerability, which puts more pressure on the providers of hosted solutions to mitigate it promptly.
    The security researchers who discovered the vulnerability get more exposure and therefore, indirectly, more compensation for their work.
    The exposure makes security research a more attractive field for qualified young people to consider as a future profession. Personally, I hate most marketing, but this is a case where I think it is justified.

    IkkeMarch 6, 2016 6:17 PM

    The real issue (that was drowned in all the hype) is that people use the
    same certificate on multiple services, with the result that the security
    of all is at most the security of the weakest.

    ChrisMarch 15, 2016 6:36 AM

    Something super scammy about that web site. It's got a "test" button which does not even bother to contact the site you type in. Looks like a trick to get people to give them a list of web sites...

    Leave a comment

    Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

    Photo of Bruce Schneier by Per Ervland.

    Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.