name: DROWN (Decrypting RSA with Obsolete and Weakened eNcryption)
officially announced: March 2016
what: DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use email, shop online and send instant messages without third-parties being able to read the communication.
how: DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. The measurements indicate ~33% of all HTTPS servers are vulnerable to the attack. The affected list contains payment processors, big shopping sites, online applications, social media sites and highly accessed international or local news websites.
why: This major Internet security vulnerability has resulted from the way cryptography was weakened by U.S. government policies that restricted exporting strong cryptography. These restrictions were designed to make it easier for NSA to decrypt the communication of people abroad.
Do you have an SSL installed on your server(s)? If not, kindly tell us in the comments why! If you have, does somebody checked if this vulnerability has affected you sites?
How to be informed in time and stay safe for your customers: our WordPress maintenance service or the Security audit service handles these types of detection checks and we inform our customers if needed to take any action. There is no extra cost involved for this consultancy. For the recurrent WordPress maintenance services, we even resolve these type of problems.