Connect with us

Hi, what are you looking for?


Network Security

Is DROWN a ‘Hello Kitty’ SSL Vulnerability?

Should you panic about the recently disclosed DROWN SSL vulnerability? Is it cute and kid-friendly, or is it a monster vulnerability coming to expose your most sensitive data?

The DROWN announcement was done the right way:

Should you panic about the recently disclosed DROWN SSL vulnerability? Is it cute and kid-friendly, or is it a monster vulnerability coming to expose your most sensitive data?

The DROWN announcement was done the right way:

• Cool acronym (Decrypting RSA with Obsolete and Weakened eNcryption)

• Decent logo

• Domain name (

Vulnerability check tool

DROWN (CVE-2016-0800) Logo The mainstream tech media has been giving DROWN (CVE-2016-0800) some love, partially because the DROWN research team has some big names like Professor Nadia Heninger (I really do love her research). As usual, they write scary-sounding stuff, but have provided no guidance on how to compare DROWN to other SSL vulnerabilities.

So, how much of a threat is DROWN? Last year I put together a scoring system for enterprise administrators and security architects (i.e., the SecurityWeek readership) to rank SSL/TLS vulnerabilities. My system gauges relative levels of panic for each new vulnerability. To make the scoring system digestible for the media, ranges are based on a Japanese Monster Alert Level.

By my scoring system, DROWN only achieves a Hello Kitty warning level. This is because the asset in play is only a single TLS session (Impact=3), and the exploitability is non-trivial or impossible on most counts (Exploitability = 2).

Advertisement. Scroll to continue reading.

Exploitability of Popular CVE

Here’s the breakdown in a single paragraph of how DROWN works:

Be a passive man-in-the-middle (MitM). Record 1,000 TLS sessions. Mince the handshakes and then feed them (in 4,000 new sessions) to an SSLv2 server that is using the same private key. Also, perform a quintillion (1018) mathematical calculations.

That last part—the 1,125,899,906,842,624 mathematical operations—can be done for about $440 in eight hours using a cluster of NVIDIA GPUs.

The other requirements for DROWN keep its exploitability score low for enterprise administrators. For example, the passive MitM requirement means you won’t be seeing drive-by attacks, just determined adversaries that are in position to see all your traffic.

The key to DROWN is that in order to be vulnerable, you have to have SSLv2 enabled and sharing a key. Anyone serious about security should have disabled SSLv2 everywhere. An audit or penetration test should have flagged SSLv2 for you more than two decades ago. The DROWN authors suggest that 33% of the Internet is potentially vulnerable—mostly because of more bugs in OpenSSL. Somehow, and Alibaba got into Alexa’s Top 10,000 vulnerable sites list, but the rest reads like the who’s-not-who (, anyone?)

Having SSLv2 still enabled, even in an email server, is a stronger indicator that a site simply hasn’t kept house properly; the site will likely have other, bigger problems than DROWN.

Indeed, one could assert that the largest impact of DROWN may be the increased spotlight on sites that still support SSLv2 rather than any widespread threat from the vulnerability itself. One customer, who was prompted by the DROWN vulnerability to scan for SSLv2, was shocked to find they still had over 50 Internet-exposed services supporting SSLv2 (including an unpatched, default IIS 7 website).

Some interesting facts about DROWN:

• Surprisingly, forward secrecy doesn’t help.

• Google’s TLS-like UDP protocol, QUIC, is vulnerable, just not as bad.

• Ivan Ristic at SSL Labs is preparing a special DROWN test that will give a site an F if it’s susceptible.

• There is no exploit tool in the wild. And if DROWN follows the same path as all other “Hello Kitty” SSL vulnerabilities, there won’t ever be one.

I could posit a scenario about a determined attacker who doesn’t mind waiting weeks or months for success. Somehow you mess up and load a high-value certificate into the server with an older version of OpenSSL on a part of the network the attacker already has compromised. The attacker then uses DROWN to sniff out another user’s cookie, and then escalate their privilege.

It could happen. Same as FREAK could happen. Or LOGJAM.

But the determined attacker could almost certainly find another, easier (non-SSL) vulnerability much faster and cheaper than by using DROWN.

Does this mean you don’t have to patch? Of course not; you always have to patch. You don’t need to change all your certificates though, like you did with Heartbleed. If you’ve been auditing and pen-testing your environment, you’re probably safe.

It never hurts to check, though.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.