The Lesson From DROWN: Bad Crypto Can Be Worse Than No Crypto

Graham Steel
March 1, 2016

Today sees the public release of details of DROWN, another "full-stack" crypto vulnerability in TLS, involving new mathematical insights into the Bleichenbacher attack on PKCS#1v1.5 encryption, implementation bugs, failure to turn off old versions and real-world implementation data from Internet-wide scans showing that DROWN affects as many as 35% of HTTPS servers. It's a really nice piece of work - this truly is the golden age of applied crypto research.

One particular lesson from DROWN is that sometimes, bad cryptography is worse than no cryptography. For some time, the "folklore" around configuring TLS for mail transport (SMTP) has been that it is best to leave all SSL and TLS versions enabled, because if no successful SSL or TLS handshake is completed, mail transport will fall back to plaintext. But with DROWN, we see that leaving SSLv2 enabled allows an attacker to decrypt mail sent over TLS1.2, which would have otherwise been secure. If the same RSA key material is used on other servers, the mailserver's SSLv2 can be used to attack them, as well.

DROWN should give more momentum to the movement towards secure crypto everywhere. To test your external-facing crypto services for DROWN and other issues, you can use our tool at discovery.cryptosense.com. To go deeper on the crypto inside your Java applications read our white paper.