LLMpediaThe first transparent, open encyclopedia generated by LLMs

DROWN

Generated by DeepSeek V3.2
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Transport Layer Security Hop 4
Expansion Funnel Raw 54 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted54
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
DROWN
NameDROWN
DateMarch 2016
TargetTLS protocols
Discovered byNimrod Aviram, Sebastian Schinzel

DROWN. DROWN is a serious cryptographic attack that exploits a vulnerability in the deprecated SSLv2 protocol to decrypt modern TLS connections. The attack, publicly disclosed in March 2016 by researchers Nimrod Aviram and Sebastian Schinzel, demonstrated that servers supporting the old protocol could be used to compromise the security of connections using contemporary protocols like TLS 1.2. This cross-protocol weakness affected a significant portion of the internet's secure web servers at the time, highlighting the dangers of maintaining backward compatibility with insecure cryptographic standards.

Overview

The DROWN attack, whose name stands for "Decrypting RSA with Obsolete and Weakened eNcryption," is a form of man-in-the-middle attack that allows an adversary to break the encryption of a TLS session. It specifically targets servers that have their private RSA key exposed through support for the SSLv2 protocol, which was officially deprecated in 2011. The vulnerability stems from fundamental weaknesses in SSLv2, including its support for weak export-grade cryptography that was restricted due to 1990s-era U.S. regulations. By conducting a large number of specially crafted connections to a vulnerable server using SSLv2, an attacker can gather enough information to decrypt a captured TLS handshake from a victim user. Major organizations like the Internet Engineering Task Force and CERT Coordination Center issued urgent advisories following its disclosure.

Technical details

Technically, DROWN is a chosen-ciphertext attack that exploits how SSLv2 handles the RSA encryption used during the key exchange phase of a protocol handshake. The attack leverages the fact that SSLv2 uses a flawed padding scheme and allows the use of weak cipher suites, including those with 40-bit DES keys. An attacker first intercepts a victim's modern TLS connection attempt to a target server, such as one hosted on Apache HTTP Server or nginx. They then query the same server thousands of times using SSLv2, sending modified versions of the captured encrypted pre-master secret. By analyzing the server's responses, which differ based on padding errors, the attacker can eventually deduce the secret symmetric key and decrypt the original TLS session data. This process was significantly accelerated by employing OpenSSL libraries and powerful cloud computing resources from providers like Amazon Web Services.

Impact and mitigation

Upon its release, scans indicated that nearly a third of all HTTPS servers were vulnerable to some variant of the DROWN attack, including those with certificates from major authorities like Let's Encrypt and DigiCert. High-profile sites, including those run by Yahoo! and certain government portals, were initially affected. The primary and definitive mitigation was to completely disable SSLv2 support on all servers and services, a measure strongly advocated by the Mozilla Foundation, the National Institute of Standards and Technology, and the United States Department of Homeland Security. System administrators were urged to patch their OpenSSL implementations, reconfigure web servers like Microsoft IIS, and use tools from Qualys to test their configurations. The widespread response significantly reduced the attack surface within months, though legacy systems in sectors like IoT remained at risk.

Historical context

DROWN emerged from a long history of cryptographic attacks on early Internet protocols, following in the footsteps of earlier vulnerabilities like POODLE and FREAK. Its feasibility was rooted in the 1990s Crypto Wars, when the United States government enforced export controls that limited the strength of encryption software sold abroad, leading to the creation of deliberately weakened export-grade cryptography. Although protocols like SSLv2 were designed by Netscape in the mid-1990s and formally deprecated by the Internet Engineering Task Force years earlier, its continued support for compatibility created a critical security liability. The discovery of DROWN underscored the persistent danger of cryptographic "backdoors" and the importance of fully retiring outdated standards, a lesson later reinforced by attacks such as Logjam.

DROWN is part of a family of attacks targeting the TLS/SSL ecosystem. The POODLE attack, disclosed in 2014, also exploited legacy support for SSLv3 to decrypt secure sessions. FREAK and Logjam were other notable attacks that similarly leveraged weaknesses in export-grade cryptography and the Diffie–Hellman key exchange to compromise TLS connections. Earlier exploits like CRIME and BREACH targeted compression within the protocol. Research into these vulnerabilities has been prominently conducted by teams from Tel Aviv University, Münster University of Applied Sciences, and security firms like Google Security and Codenomicon, driving the evolution towards more robust protocols like TLS 1.3.

Category:Cryptographic attacks Category:Computer security exploits Category:Transport Layer Security