Need some help? We are here for you!We have a very friendly service - Come and chat to us and let us know what you need, we work for an hourly fee and can also provide you a no obligation quote and begin work immediately in most cases. Click "Request Support" or use our Live Chat.
Request support
Within the last couple of weeks a new deadly security vulnerability has been discovered in OpenSSL that may affect more than 11 Million websites who have servers with outdated and insecure Secure Socket Layer (SSL) cryptography SSLv2. Hackers are able to launch a low-cost attack that can decrypt your sensitive HTTPS communications, which include logins, credit card details and other sensitive information, what’s more worrying is the decryption can happen within a couple of hours, or even in some cases almost immediately. Security researchers who released a research paper on DROWN said:
We present DROWN, a novel cross-protocol attack that can decrypt passively collected TLS sessions from up to-date clients by using a server supporting SSLv2 as a Bleichenbacher RSA padding oracle. We present two versions of the attack. The more general form exploits a combination of thus-far unnoticed protocol flaws in SSLv2 to develop a new and stronger variant of the Bleichenbacher attack. A typical scenario requires the attacker to observe 1,000 TLS handshakes, then initiate 40,000 SSLv2 connections and perform 2 50 offline work to decrypt a 2048-bit RSA TLS ciphertext. (The victim client never initiates SSLv2 connections.) We implemented the attack and can decrypt a TLS 1.2 handshake using 2048- bit RSA in under 8 hours using Amazon EC2, at a cost of $440.
What is DROWN? How does DROWN work?
DROWN stands for “Decrypting RSA with Obsolete and Weakened eNcryption.”, it is a cross-protocol attack that abuses weaknesses in SSLv2 combined with the secure Transport Layer Security (TLS) protocol. And while the latest versions of TLS does not allow SSLv2, most servers are either not up to date or override this protection to help optimize applications.
How to fix DROWN on WHM
The first thing you need to do is update all the packages on your server, you will need a server administrator who is competent to update the required packages, you need to specifically update all openssl packages, but it would be a good idea to update all outdated packages on your system if possible. Depending on your Server these commands may be of use:
sudo apt-get update sudo yum update openssl
Once fully updated you need to modify apache configuration file so that it will use more secure cryptography and disable SSLv2, we recommend:
SSLHonorCipherOrder On SSLProtocol -All +TLSv1 -SSLv2 -SSLv3 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
Need Help?
Here at WebDesires, we specialise in web hosting and server management, with have expertise with WHM and Plesk Servers (and others) and can perform a DROWN fix for your server, please fill in the form below to request a quote for fixing the DROWN vulnerability on your server, we offer a professional service with a full money back guarantee if we do not fix the problem. All you will need is ROOT server access, that we will request once you have accepted our quote.
Need some help? We are here for you!We have a very friendly service - Come and chat to us and let us know what you need, we work for an hourly fee and can also provide you a no obligation quote and begin work immediately in most cases. Click "Request Support" or use our Live Chat.
Request support