Skip to main content

Is your website vulnerable to the Drown attack?

There's this hacking technique called a Drown attack, and it makes websites vulnerable, even though they use the encrypted HTTPS protocol. Researchers from the US, Germany and Israel have said that about a third of *all* computer servers using the HTTPS protocol are vulnerable, and hackers could be out there taking stuff like passwords, credit card information, emails or sensitive documents.

A fix has been released, although it will take some time for the majority of administrators to act on it.

Hackers have also said they didn't want to publish the proof of concept, as many sites are still vulnerable an it would be too much of a risk.

There's also this tool, which allows you to check if your website is vulnerable or not. However, this is not for the average user. Only administrators can take action here.

"Operators of vulnerable servers need to take action”, researchers have said in a blog post. “There is nothing practical that browsers or end-users can do on their own to protect against this attack.”

Speaking for the BBC on the matter, an independent researcher said the problem was real, and that it was all 'perfectly avoidable'.

"What is shocking about this is that they have found a way to use a very old fault that we have known about since 1998," said Prof Alan Woodward, from the University of Surrey.

"And all this was perfectly avoidable.”

"It is a result of us having used deliberately weakened encryption, which people broke years ago, and it is now coming back to haunt us."