"DROWN" redirects here. For other uses, see Drown (disambiguation).
This article needs attention from an expert in Cryptography. The specific problem is: new vulnerability. WikiProject Cryptography may be able to help recruit an expert.(March 2016)
DROWN
Broken lock logo symbolizing DROWN attack
CVE identifier(s)
CVE-2016-0800
Date discovered
March 2016; 8 years ago (2016-03)
Discoverer
Nimrod Aviram, Sebastian Schinzel
Affected software
SSL (v2)
Website
drownattack.com
The DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) attack is a cross-protocol security bug that attacks servers supporting modern SSLv3/TLS protocol suites by using their support for the obsolete, insecure, SSL v2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure.[1][2] DROWN can affect all types of servers that offer services encrypted with SSLv3/TLS yet still support SSLv2, provided they share the same public key credentials between the two protocols.[3] Additionally, if the same public key certificate is used on a different server that supports SSLv2, the TLS server is also vulnerable due to the SSLv2 server leaking key information that can be used against the TLS server.[3]
Full details of DROWN were announced in March 2016, along with a patch that disables SSLv2 in OpenSSL; the vulnerability was assigned the ID CVE-2016-0800.[4] The patch alone will not be sufficient to mitigate the attack if the certificate can be found on another SSLv2 host. The only viable countermeasure is to disable SSLv2 on all servers.
The researchers estimated that 33% of all HTTPS sites were affected by this vulnerability as of March 1, 2016.[5]
^Leyden, John (1 March 2016). "One-third of all HTTPS websites open to DROWN attack". The Register. Retrieved 2016-03-02.
^Goodin, Dan (1 March 2016). "More than 11 million HTTPS websites imperiled by new decryption attack". Ars Technica. Retrieved 2016-03-02.
^ ab
Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar, and Yuval Shavitt. DROWN: Breaking TLS using SSLv2, 2016
^"National Cyber Awareness System Vulnerability Summary for CVE-2016-0800". web.nvd.nist.gov. Retrieved 2016-03-02.
The DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) attack is a cross-protocol security bug that attacks servers supporting modern SSLv3/TLS...
attacker can then deduce the keys the client and server determine using the Diffie–Hellman key exchange. The DROWNattack is an exploit that attacks servers...
Drowning is a type of suffocation induced by the submersion of the mouth and nose in a liquid. Most instances of fatal drowning occur alone or in situations...
amounts of internet traffic via the Logjam vulnerability,[C] and for the DROWNattack, which uses servers supporting old and weak cryptography to decrypt traffic...
The Tokyo subway sarin attack (地下鉄サリン事件, Chikatetsu Sarin Jiken, "Subway Sarin Incident") was an act of domestic terrorism perpetrated on 20 March 1995...
ClientHello fragmentation, and a variant of the DROWN (aka "the special drown") downgrade attacks. [clarification needed] Removing backward compatibility...
This is a list of drowning victims in chronological order. The reasons for drowning are diverse and range from suicide, to accidents or murders. Tiberinus...
unconscious. Martínez drowned before fellow trainers could rescue him. The park repeatedly asserted that this was not an attack but an unfortunate accident...
our regions they will attack men. Near Brecq-Hou, in Sark, they show a cave where a devil-fish a few years since seized and drowned a lobster-fisher. Peron...
"The Drowners" is the debut single of English rock band Suede, released on 11 May 1992 on Nude Records. It was later included on the band's debut album...
A shark attack is an attack on a human by a shark. Every year, around 80 unprovoked attacks are reported worldwide. Despite their rarity, many people...
Ben Drowned (originally published as Haunted Majora's Mask Cartridge) is a three-part multimedia alternate reality game (ARG) web serial and web series...
Amnesty Bay. When Aquaman is transported fathoms below Amnesty Bay, the Drownedattacks him, revealing that the infected Mera has mutated into a gargantuan...
Attacks on parachutists, as defined by the law of war, occur when pilots, aircrew, and passengers are attacked while descending by parachute from disabled...
The 2011 Norway attacks, also called 22 July (Norwegian: 22. juli) or 22/7 in Norway, were two domestic terrorist attacks by far-right extremist Anders...
Drowning Mona is a 2000 American crime comedy film starring Danny DeVito as Wyatt Rash, a local police chief from Verplanck, New York, who investigates...
Dingo attacks on humans are rare in Australia, and when they do occur are generally on young children. However, dingoes are much more of a danger to livestock...
Brazil. Whereas fatal attacks on humans are rare, piranhas will readily feed on bodies of people that already have died, such as drowning victims. Various...
This is a list of fatal shark attacks that occurred in United States territorial waters by decade in chronological order. Citations "White shark". "R-Damiscotte"...
horsemen to meet the attackers but was eventually outmatched. Many of his soldiers were forced into the nearby Han River and drowned. The siege on Fancheng...
Walrus attacks are attacks inflicted upon humans, other walruses and other animals by the walrus. They have been documented in the Arctic by the Inuit...
sharks by holding them upside down to induce tonic immobility in order to drown the shark. The orcas bite off the shark's fins before disemboweling and...
plastic bags over their heads. They then made an unsuccessful attempt to drown another child in the bath. Barrass texted a friend just after 7am alleging...
Gourma-Rharous. The attacks prompted the Malian junta that took power in 2021 to postpone the upcoming 2024 presidential election indefinitely. The attack on the Tombouctou...