Security Bulletin: Drown Vulnerability

As Director of Information Security & Compliance at Keystone, Montez Fitzpatrick works every day to be sure that clients and the public are aware of new and threatening security vulnerabilities. Montez has recently updated Keystone clients and staff on a potential threat.

Critical HTTPS Vulnerability

There is a newly disclosed attack called DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) which exploits vulnerabilities in cryptographic engines which power some websites. It is estimated that 33% of HTTPS servers are vulnerable to this attack, which relies on SSLv2 and weakened cryptographic export regulations to decrypt secure traffic between a server and client.

The defense from this attack is relatively simple; by ensuring that SSLv2 is not enabled as an option on your website will prevent this particular attack from being exploited.

The computing power required to complete this attack in a short amount of time is not trivial. However, it is within the reach of a determined single private individual. That fact alone makes this attack particularly dangerous. This is a good time to touch on keys and secrets; keys are not an inexhaustible resource which has an indefinite lifetime; consequently, their useful life is determined by how long that key or secret is supposed to protect the system by ensuring confidentiality among trusted parties. It is beneficial to ensure that critical systems have an appropriate key rotation schedule.

For more detailed information on DROWN, please visit: https://drownattack.com/

How will Keystone support and protect clients?

Keystone will be reviewing all HTTPS client sites to ensure this vulnerability is not present. To this end, Keystone will send a follow-up e-mail to client contacts with the status of your environment, in it will be important details regarding this vulnerability. Evaluations will begin immediately, and is expected to be completed by 11-March-2016. Please contact security@keystone-it.com if you have not had a status update by COB on that day.

Leave a comment