New 'Drown' Bug: Millions of Secure Sites Could be at Risk

John Lister's picture

An estimated 11 million secure websites could be vulnerable to hackers exploiting a security bug. Amazingly, the bug has to do with technology that is over 20 years old. There's little, if anything website visitors can do as the bug needs fixing by site operators. However, it is possible to check if a site appears to be vulnerable.

The bug has been dubbed Drown, a name rather tenuously derived from "Decrypting the RSA algorithm with Obsolete and Weakened eNcryption."

Researchers who uncovered the bug aren't publishing the precise details. At the moment it's not known if hackers were aware of the bug or actively seeking to exploit it, but even if they weren't, the clock is now clearly ticking as they'll have been tipped off by the revelations.

1990s Security Technology at Fault

The bug actually involves SSL2, an encryption technique used back in the 1990s that's now considered extremely outdated. The problem is that the bug affects websites which still support SSL2, even if they don't actually use it. (Source: The bug is somewhat similar to the heartbleed bug, which also suffers from SSL2 and SSL3 exploits.

That could be a problem for sites which have developed by adding code and technologies over the years, rather than starting afresh with each new security technique. In particular, sites could be vulnerable if they still have old-fashioned email servers from the days before web-based email became more popular.

According to the researchers, in some specific cases it could be possible to breach a website's server in less than a minute using only a single PC. Even without the most favorable conditions, it would be possible to breach a server in around eight hours using a cloud computing service at a cost of around $440. (Source:

Hackers Could Intercept 'Secure' Data

Attackers who successfully exploit the vulnerability could be able to pull off a "man-in-the-middle" attack. That effectively means they reroute and intercept secure communications between a website and a visitor. Not only does this mean the attacker could see personal details that should be encrypted, but they are unlikely to be detected in doing so.

It's down to site operators to fix the problem, but you can check if a website appears vulnerable using a tool at However, the scan results may not update immediately, even if the web site has recently been patched.

What's Your Opinion?

Are any sites you regularly use for sensitive data affected by Drown? Do sites need to do more to remove outdated technologies that could be compromised? Are you generally confident in using secure sites?

Rate this article: 
Average: 5 (11 votes)