DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) is a newly discovered security flaw, affecting up to a third of all https websites. Although affecting less than Heartbleed, server security issues are extremely important and must be addressed.

What is DROWN and why is it important?

DROWN is a weakness in the HTTPS protocol that encrypts communications when connecting to a server. This is the mechanism used to protect passwords, credit card information, pictures and any other sensitive business data when someone is sending them to a server.

The green lock icon in your browser usually indicates you’re using a secure website, however, DROWN can bypass this, resulting in false security.

DROWN exploits the fact that most servers allow compatibility with very old browser versions that are not actively used anymore. This configuration makes them vulnerable and allows attackers to decrypt the data sent during a secure session.

Is anything online still safe?

Don’t panic. At the time the news was published, only 30% of servers were affected. There are security updates available for all widely used server software and everyone is updating quickly.

Attackers attempting to utilize this vulnerability to spy on a person’s communication need to be either connected to the same wired or wi-fi network, a network operator or a government agency. Furthermore the attack can only be performed on an individual person, which can take time to execute.

I want to know more details.

The drownattack.com website explains the issue in depth and provides a tool to verify if your server needs to be updated.

Recommended actions.

If you own a website or a back-end web service, we recommend that you check if there are any updates available for your server’s software immediately.

Customers of Mobile Jazz don’t need to worry. We are running the necessary verifications on each of our customer’s servers and will immediately fix or contact you with instructions if we identify any issues.

Jordi Giménez

Jordi has worked as a project manager, developer and security analyst in web, iOS and Android. He’s worked for companies big and the small in government, banking, insurance, healthcare and IT.