An international group of researchers has discovered that web traffic encrypted with Transport Layer Security (TLS) can be decrypted if a server also supports the antiquated SSLv2 cryptographic protocol. The researchers estimate that a staggering 33% of HTTPS-enabled sites are vulnerable to this attack, which they call DROWN, for Decrypting RSA using Obsolete and Weakened eNcryption.
While the SSLv2 protocol has long been known to be weak, the attack is significant because traffic encrypted with the stronger TLS protocol is potentially vulnerable. Communication from a client—like a web browser or mail transfer agent—that insists on TLS encryption may still be subject to the DROWN attack if the server it's talking to supports SSLv2. Using the main DROWN attack variant, the researchers say they were able to decrypt a 2048-bit RSA TLS cyphertext in less than 8 hours using just $440 worth of Amazon EC2 resources.
The attack has its own website that includes a technical paper with more details on how it works. Vulnerable services should move to disable SSLv2 support, and the site provides instructions for how to do so for popular software packages like OpenSSL and various web servers. To see if a domain or IP address is vulnerable to DROWN, you can enter it here.