The news coming out of Hackmageddon, that January reported an unusually low number of Attack Techniques", was quite disturbing. Did the security industry really manage to get the upper hand? Wait for it...oh, here comes another devastating vulnerability!
Welcome DROWN attack! (because we truly needed yet another severe threat)
DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) initially targets sites via SSLv2, but can quickly spread its tentacles to any version of SSL or TLS. I will not belabor on the vulnerability because a number of sites explain it in good detail.
I cannot help but be a bit dismissive of DROWN; not that it isn't exceedingly dangerous or inexpensive to conduct. The big news is not about the vulnerability itself; rather, it is that one-third of Internet servers are vulnerable to an attack against a protocol that was deprecated after one year, twenty years ago. This vulnerability should be a non-issue as there is no valid argument for this insecure protocol to be in use.
The adage goes that security requires constant vigilance. So why are so many shops failing?
Attack Fatigue: Enterprises cannot keep up with the pace at which new oracle padding attacks and other vulnerabilities pop up
Lack of Visibility: Enterprises do not have visibility to understand if they are vulnerable to POODLE, DROWN etc. For example, how many administrators know if any legitimate clients are still using weak crypto?
Lack of Control: Applications and certificates are scattered across thousands of servers and administrators do not have the ability to enforce a centralized SSL policy.
Responding to Vulnerabilities: Enterprises will be able to respond better and take remediation steps when it takes them five minutes, instead of six months, to update applications.
This isn't vaporware. Companies big and small are doing this today. Avi has regularly blogged about the need move to SSL Everywhere, adopting modern SSL/TLS with Perfect Forward Secrecy, straightforward visibility, and an easy ability to update an entire enterprise in minutes without disruption.
Drop us a note at email@example.com if you would like to get in touch with an expert at Avi!